Thread: Re: Clarification on Role Access Rights to Table Indexes
> As it stands, a superuser can prewarm an index (because she bypasses all
> privilege checks including this one), but nobody else can.
> privilege checks including this one), but nobody else can.
That's not fully true. Any role can prewarm an index if the role has the correct privileges.
postgres=# GRANT CREATE ON SCHEMA PUBLIC TO alpha;
GRANTpostgres=# SET ROLE alpha;
SET
postgres=> CREATE TABLE tab(id INT);
CREATE TABLE
postgres=> CREATE INDEX tab_idx ON tab(id);
CREATE INDEX
postgres=> SELECT pg_prewarm('tab_idx');
pg_prewarm
------------
1
(1 row)
Don't know what stopped it from prewarming the catalog table index.
Maybe it's checking who is the owner of the table. Although in code
it's just checking the ACL_SELECT [1]. I will be debugging more here
and maybe create a patch for the same.
it's just checking the ACL_SELECT [1]. I will be debugging more here
and maybe create a patch for the same.
postgres=# RESET ROLE;
RESET
postgres=# CREATE TABLE superuser_tab(id INT);
CREATE TABLE
postgres=# CREATE INDEX idx_superuser_tab ON superuser_tab(id);
CREATE INDEX
postgres=# GRANT SELECT ON superuser_tab TO alpha;
GRANT
postgres=# SET ROLE alpha;
SET
postgres=> SELECT pg_prewarm('superuser_tab');
pg_prewarm
------------
0
(1 row)
RESET
postgres=# CREATE TABLE superuser_tab(id INT);
CREATE TABLE
postgres=# CREATE INDEX idx_superuser_tab ON superuser_tab(id);
CREATE INDEX
postgres=# GRANT SELECT ON superuser_tab TO alpha;
GRANT
postgres=# SET ROLE alpha;
SET
postgres=> SELECT pg_prewarm('superuser_tab');
pg_prewarm
------------
0
(1 row)
postgres=> SELECT pg_prewarm('idx_superuser_tab');
ERROR: permission denied for index idx_superuser_tab
ERROR: permission denied for index idx_superuser_tab
postgres=> RESET ROLE;
RESET
postgres=# ALTER TABLE superuser_tab OWNER TO alpha;
ALTER TABLE
postgres=# SET ROLE alpha;
SET
postgres=> SELECT pg_prewarm('idx_superuser_tab');
pg_prewarm
------------
1
(1 row)
RESET
postgres=# ALTER TABLE superuser_tab OWNER TO alpha;
ALTER TABLE
postgres=# SET ROLE alpha;
SET
postgres=> SELECT pg_prewarm('idx_superuser_tab');
pg_prewarm
------------
1
(1 row)
But I agree we should just check the table privileges even in the case of
indexes to decide whether to prewarm or not, as indexes don't have any privileges
of their own.
> I think -hackers would be the appropriate location for that.
I am shifting this to -hackers mailing list instead of general.
[1] https://github.com/postgres/postgres/blob/master/contrib/pg_prewarm/pg_prewarm.c#L108-L110
Regards,
Ayush Vatsa
SDE AWS
indexes to decide whether to prewarm or not, as indexes don't have any privileges
of their own.
> I think -hackers would be the appropriate location for that.
I am shifting this to -hackers mailing list instead of general.
[1] https://github.com/postgres/postgres/blob/master/contrib/pg_prewarm/pg_prewarm.c#L108-L110
Regards,
Ayush Vatsa
SDE AWS
Ayush Vatsa <ayushvatsa1810@gmail.com> writes:
>> As it stands, a superuser can prewarm an index (because she bypasses all
>> privilege checks including this one), but nobody else can.
> That's not fully true. Any role can prewarm an index if the role has the
> correct privileges.
Ah, right. An index will have null pg_class.relacl, which'll be
interpreted as "owner has all rights", so it will work for the
table owner too. Likely this explains the lack of prior complaints.
It's still a poor design IMO.
regards, tom lane
On Mon, Feb 17, 2025 at 2:57 PM Tom Lane <tgl@sss.pgh.pa.us> wrote: > Ayush Vatsa <ayushvatsa1810@gmail.com> writes: > >> As it stands, a superuser can prewarm an index (because she bypasses all > >> privilege checks including this one), but nobody else can. > > > That's not fully true. Any role can prewarm an index if the role has the > > correct privileges. > > Ah, right. An index will have null pg_class.relacl, which'll be > interpreted as "owner has all rights", so it will work for the > table owner too. Likely this explains the lack of prior complaints. > It's still a poor design IMO. I'm not sure if I'd call that a "design". Sounds like I just made a mistake here. -- Robert Haas EDB: http://www.enterprisedb.com
> I'm not sure if I'd call that a "design". Sounds like I just made a
> mistake here.
> mistake here.
Thanks Robert for confirming, let me submit a patch to fix the same.
Regards
Ayush Vatsa
ADE AWS
Ayush Vatsa <ayushvatsa1810@gmail.com> writes:
> Thanks Robert for confirming, let me submit a patch to fix the same.
Well, the first thing you need is consensus on what the behavior
should be instead.
I have a very vague recollection that we concluded that SELECT
privilege was a reasonable check because if you have that you
could manually prewarm by reading the table. That would lead
to the conclusion that the minimal fix is to look at the owning
table's privileges instead of the index's own privileges.
Or we could switch to using ownership, which'd keep the code
simple but some users might complain it's too restrictive.
While I mentioned built-in roles earlier, I now think those mostly
carry more privilege than should be required here, given the analogy
to SELECT.
regards, tom lane
On Mon, Feb 17, 2025 at 3:02 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Ayush Vatsa <ayushvatsa1810@gmail.com> writes:
> Thanks Robert for confirming, let me submit a patch to fix the same.
Well, the first thing you need is consensus on what the behavior
should be instead.
I have a very vague recollection that we concluded that SELECT
privilege was a reasonable check because if you have that you
could manually prewarm by reading the table. That would lead
to the conclusion that the minimal fix is to look at the owning
table's privileges instead of the index's own privileges.
I feel like if you can blow up the cache by loading an entire table into memory with just select privilege on the table we should be ok with allowing the same person to name an index on the same table and load it into the cache too.
David J.
On Mon, Feb 17, 2025 at 5:18 PM David G. Johnston <david.g.johnston@gmail.com> wrote: >> I have a very vague recollection that we concluded that SELECT >> privilege was a reasonable check because if you have that you >> could manually prewarm by reading the table. That would lead >> to the conclusion that the minimal fix is to look at the owning >> table's privileges instead of the index's own privileges. > > I feel like if you can blow up the cache by loading an entire table into memory with just select privilege on the tablewe should be ok with allowing the same person to name an index on the same table and load it into the cache too. +1. -- Robert Haas EDB: http://www.enterprisedb.com
Robert Haas <robertmhaas@gmail.com> writes:
> On Mon, Feb 17, 2025 at 5:18 PM David G. Johnston
> <david.g.johnston@gmail.com> wrote:
>>> I have a very vague recollection that we concluded that SELECT
>>> privilege was a reasonable check because if you have that you
>>> could manually prewarm by reading the table. That would lead
>>> to the conclusion that the minimal fix is to look at the owning
>>> table's privileges instead of the index's own privileges.
>> I feel like if you can blow up the cache by loading an entire table into memory with just select privilege on the
tablewe should be ok with allowing the same person to name an index on the same table and load it into the cache too.
> +1.
Is that a +1 for the specific design of "check SELECT on the index's
table", or just a +1 for changing something here?
regards, tom lane
On Tue, Feb 18, 2025 at 11:02 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: > Is that a +1 for the specific design of "check SELECT on the index's > table", or just a +1 for changing something here? That is a +1 for the specific design of "check SELECT on the index's table". I don't want to be closed-minded: if you have some strong reason for believing that's the wrong thing to do, I'm all ears. However, I'm presently of the view that it is exactly the right thing to do, to the point where I don't currently understand why there's anything to think about here. -- Robert Haas EDB: http://www.enterprisedb.com
Robert Haas <robertmhaas@gmail.com> writes:
> That is a +1 for the specific design of "check SELECT on the index's
> table". I don't want to be closed-minded: if you have some strong
> reason for believing that's the wrong thing to do, I'm all ears.
> However, I'm presently of the view that it is exactly the right thing
> to do, to the point where I don't currently understand why there's
> anything to think about here.
I have no objection to it, but I wasn't as entirely convinced
as you are that it's the only plausible answer.
One specific thing I'm slightly worried about is that a naive
implementation would probably cause this function to lock the
table after the index, risking deadlock against queries that
take the locks in the more conventional order. I don't recall
what if anything we've done about that in other places
(-ENOCAFFEINE).
regards, tom lane
On Tue, Feb 18, 2025 at 11:30 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: > I have no objection to it, but I wasn't as entirely convinced > as you are that it's the only plausible answer. Hmm, OK. > One specific thing I'm slightly worried about is that a naive > implementation would probably cause this function to lock the > table after the index, risking deadlock against queries that > take the locks in the more conventional order. I don't recall > what if anything we've done about that in other places > (-ENOCAFFEINE). Yeah, that seems like a good thing to worry about from an implementation point of view but it doesn't seem like a reason to question the basic design choice. In general, if you can use a table, you also get to use its indexes, so that interpretation seems natural to me here, also. Now, if somebody finds a problem with requiring only SELECT permission, I could see changing the requirements for both tables and indexes, but I find it harder to imagine that we'd want those things to work differently from each other. Of course I'm willing to be convinced that there's a good reason for them to be different; I just can't currently imagine what it might be. -- Robert Haas EDB: http://www.enterprisedb.com
Hello Everyone,
It seems there's a general consensus that we should maintain a
original design to support pg_prewarm, with a minor adjustment:
when querying indexes, we should verify the privileges of the parent table.
I’ve attached a patch for this, which includes some test cases as well.
Let me know if it needs any changes.
Regards,
Ayush Vatsa
SDE AWS
Attachment
Added the CF entry for the same - https://commitfest.postgresql.org/patch/5583/
Regards,
Ayush Vatsa
Ayush Vatsa
SDE AWS