On Wed, Apr 07, 2021 at 10:13:30AM -0700, Richard Yen wrote:
> I noticed that in some situations involving the use of REVOKE ON SCHEMA,
> pg_dump
> can produce a dump that cannot be restored. This prevents successful
> pg_restore (and by corollary, pg_upgrade).
>
> An example shell script to recreate this problem is attached. The error
> output appears at the end like this:
>
> <snippet>
> + pg_restore -d postgres /tmp/foo.dmp
> pg_restore: [archiver (db)] Error while PROCESSING TOC:
> pg_restore: [archiver (db)] Error from TOC entry 2748; 0 0 ACL TABLE
> mytable owneruser
> pg_restore: [archiver (db)] could not execute query: ERROR: permission
> denied for schema private
> Command was: GRANT SELECT ON TABLE private.mytable TO privileged WITH
> GRANT OPTION;
> SET SESSION AUTHORIZATION privileged;
> GRANT SELECT ON TABLE private.mytable TO enduser WITH GRANT OPTION;
> RESET SESSION AUTHORIZATION;
> WARNING: errors ignored on restore: 1
> -bash-4.2$
> </snippet>
>
> Note that `privileged` user needs to grant permissions to `enduser`, but
> can no longer do so because `privileged` no longer has access to the
> `private` schema (it was revoked).
>
> How might we fix up pg_dump to handle these sorts of situations?
I would approach this by allowing GRANT to take a grantor role name. Then,
we'd remove the SET SESSION AUTHORIZATION, and the user running the restore
would set the grantor. "GRANT SELECT ON TABLE foo TO bob GRANTED BY alice;"
looks reasonable to me, though one would need to check if SQL requires that to
have some different behavior.
> It seems
> like pg_dump might need extra logic to GRANT the schema permissions to the
> `privileged` user and then REVOKE them later on?
That could work, but I would avoid it for a couple of reasons. In some
"pg_restore --use-list" partial restores, the schema privilege may already
exist, and this design may surprise the DBA by removing the existing
privilege. When running a restore as a non-superuser, the additional
GRANT/REVOKE could be a source of permission denied failures.