Tom, * Tom Lane (t...@sss.pgh.pa.us) wrote: > AFAICT, pg_dump has no notion that it needs to be careful about the order > in which permissions are granted. I did
I'm afraid that's correct, though I believe that's always been the case. I spent some time looking into this today and from what I've gathered so far, there's essentially an implicit (or at least, I couldn't find any explicit reference to it) ordering in ACLs whereby a role which was given a GRANT OPTION always appears in the ACL list before an ACL entry where that role is GRANT'ing that option to another role, and this is what pg_dump was (again, implicitly, it seems) depending on to get this correct in prior versions. Pulling apart the ACL list and rebuilding it to handle adding/revoking of default options on objects ends up, in some cases, changing the ordering around for the ACLs and that's how pg_dump comes to emit the GRANT commands in the wrong order. Looks like what is needed is an explicit ordering to the ACLs in pg_dump to ensure that it emits the GRANTs in the correct order, which should be that a given GRANTOR's rights must be before any ACL which that GRATOR granted. Ideally, that could be crafted into the SQL query which is sent to the server, but I haven't quite figured out if that'll be possible or not. If not, it shouldn't be too hard to implement in pg_dump directly. I don't, at the moment, think we actually need to do any checks in the backend code to make sure that the implicit ordering is always held, assuming we make this change in pg_dump. I do wonder if it might be possible, with the correct set of GRANTs (perhaps having role memberships coming into play also, as discussed in the header of select_best_grantor()) to generate an ACL list with an "incorrect" ordering which would end up causing issues in older releases with pg_dump. We've had precious little complaints from the field about this and so, even if we were to generate such a case, I'm not sure that we'd want to add all the code necessary to avoid it and then back-patch it. Thanks! Stephen
signature.asc
Description: Digital signature