Обсуждение: permission inconsistency with functions
Hello, I am writing a blog on backups with postgresql, which I plan at some point (if someone doesn't beat me to it) on turning into a patch for the docs but I found this inconsistency: The docs state that: "In particular, it must have read access to all tables that you want to back up, so in practice you almost always have to run it as a database superuser." Ignoring the fact that databases have a lot more objects than tables, there is no READ/SELECT permission for functions. Thus in order to backup a function, I must have EXECUTE permissions on the function. Further if I don't have EXECUTE permissions I can still see the function in pg_proc. This seems like an inconsistency worth looking into, especially now that we have per column perms. Sincerely, Joshua D. Drake -- PostgreSQL.org Major Contributor Command Prompt, Inc: http://www.commandprompt.com/ - 509.416.6579 Consulting, Training, Support, Custom Development, Engineering http://twitter.com/cmdpromptinc | http://identi.ca/commandprompt
On fre, 2010-07-23 at 11:48 -0700, Joshua D. Drake wrote: > "In particular, it must have read access to all tables that you want > to > back up, so in practice you almost always have to run it as a database > superuser." > > Ignoring the fact that databases have a lot more objects than tables, > there is no READ/SELECT permission for functions. Thus in order to > backup a function, I must have EXECUTE permissions on the function. > Further if I don't have EXECUTE permissions I can still see the > function in pg_proc. In order to back up a table's contents you must read it, but you don't need to execute a function in order to back it up. It's not inconsistent, it's just different.
On Fri, 2010-07-23 at 21:55 +0300, Peter Eisentraut wrote: > On fre, 2010-07-23 at 11:48 -0700, Joshua D. Drake wrote: > > "In particular, it must have read access to all tables that you want > > to > > back up, so in practice you almost always have to run it as a database > > superuser." > > > > Ignoring the fact that databases have a lot more objects than tables, > > there is no READ/SELECT permission for functions. Thus in order to > > backup a function, I must have EXECUTE permissions on the function. > > Further if I don't have EXECUTE permissions I can still see the > > function in pg_proc. > > In order to back up a table's contents you must read it, but you don't > need to execute a function in order to back it up. It's not > inconsistent, it's just different. Sorry you are correct, I made a mistake in my ERROR message reading. JD -- PostgreSQL.org Major Contributor Command Prompt, Inc: http://www.commandprompt.com/ - 509.416.6579 Consulting, Training, Support, Custom Development, Engineering http://twitter.com/cmdpromptinc | http://identi.ca/commandprompt
On Fri, 2010-07-23 at 21:55 +0300, Peter Eisentraut wrote: > On fre, 2010-07-23 at 11:48 -0700, Joshua D. Drake wrote: > > "In particular, it must have read access to all tables that you want > > to > > back up, so in practice you almost always have to run it as a database > > superuser." > > > > Ignoring the fact that databases have a lot more objects than tables, > > there is no READ/SELECT permission for functions. Thus in order to > > backup a function, I must have EXECUTE permissions on the function. > > Further if I don't have EXECUTE permissions I can still see the > > function in pg_proc. > > In order to back up a table's contents you must read it, but you don't > need to execute a function in order to back it up. It's not > inconsistent, it's just different. Sorry you are correct, I made a mistake in my ERROR message reading. JD -- PostgreSQL.org Major Contributor Command Prompt, Inc: http://www.commandprompt.com/ - 509.416.6579 Consulting, Training, Support, Custom Development, Engineering http://twitter.com/cmdpromptinc | http://identi.ca/commandprompt