Обсуждение: 8.2.0 upgrade issue: loss of CONNECT rights
Another thing to watch out for when upgrading to 8.2.0:
I had some 8.1.x databases with restricted rights, like REVOKE CREATE ON
DATABASE. After pg_dumpall and reload into 8.2.0, I lost CONNECT rights on
those databases. So only the superuser account can connect. The reason
seems to be that my dump file had REVOKE ALL ON DATABASE, then added the
specific GRANT rights. At 8.2.0, REVOKE ALL includes revoking CONNECT
rights even though they were always granted at 8.1.5.
For example, here are my database rights under 8.1.5:
{postgres=CT/postgres,=T/postgres,lbayuk=C/postgres}
So public has TEMP, I have CREATE (and TEMP, via public).
My dump file had something like this:
CREATE DATABASE test WITH ...
REVOKE ALL ON DATABASE test FROM PUBLIC;
REVOKE ALL ON DATABASE test FROM postgres;
GRANT ALL ON DATABASE test TO postgres;
GRANT TEMPORARY ON DATABASE test TO PUBLIC;
GRANT CREATE ON DATABASE test TO lbayuk;
After the upgrade to 8.2.0 the database rights are:
{postgres=CTc/postgres,=T/postgres,lbayuk=C/postgres}
So now me and PUBLIC cannot connect because we don't have the new 'c' right.
I tried using both 8.1.5 pg_dumpall and 8.2.0 pg_dumpall to dump the
8.1.5 database, and both had the problem.
To fix: GRANT CONNECT ON DATABASE ... TO PUBLIC;
L Bayuk <lbayuk@pobox.com> writes:
> Another thing to watch out for when upgrading to 8.2.0:
> I had some 8.1.x databases with restricted rights, like REVOKE CREATE ON
> DATABASE. After pg_dumpall and reload into 8.2.0, I lost CONNECT rights on
> those databases. So only the superuser account can connect. The reason
> seems to be that my dump file had REVOKE ALL ON DATABASE, then added the
> specific GRANT rights. At 8.2.0, REVOKE ALL includes revoking CONNECT
> rights even though they were always granted at 8.1.5.
Hmmm ... I think we could hack 8.2's pg_dumpall to compensate for that,
ie throw in a GRANT CONNECT ... TO PUBLIC when dumping from a pre-8.2
server. But of course this wouldn't do anything for databases dumped
with older versions of pg_dumpall.
regards, tom lane
This was fixed in 8.2.1. Thanks for the report. --------------------------------------------------------------------------- Tom Lane wrote: > L Bayuk <lbayuk@pobox.com> writes: > > Another thing to watch out for when upgrading to 8.2.0: > > I had some 8.1.x databases with restricted rights, like REVOKE CREATE ON > > DATABASE. After pg_dumpall and reload into 8.2.0, I lost CONNECT rights on > > those databases. So only the superuser account can connect. The reason > > seems to be that my dump file had REVOKE ALL ON DATABASE, then added the > > specific GRANT rights. At 8.2.0, REVOKE ALL includes revoking CONNECT > > rights even though they were always granted at 8.1.5. > > Hmmm ... I think we could hack 8.2's pg_dumpall to compensate for that, > ie throw in a GRANT CONNECT ... TO PUBLIC when dumping from a pre-8.2 > server. But of course this wouldn't do anything for databases dumped > with older versions of pg_dumpall. > > regards, tom lane > > ---------------------------(end of broadcast)--------------------------- > TIP 9: In versions below 8.0, the planner will ignore your desire to > choose an index scan if your joining column's datatypes do not > match -- Bruce Momjian bruce@momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. +