Обсуждение: pg_dumpall and owner of the extension
Hi,
pg_pumpall (13.4) changes owner of the extension.
Source instance 13.4:
function boolop is part of extension intarray
diam=# \dx intarray
List of installed extensions
Name | Version | Schema | Description
----------+---------+--------+--------------------------------------------------------------------
intarray | 1.3 | iamapp | functions, operators, and index support for 1-D arrays of integers
(1 row)
diam=# \dn iamapp
List of schemas
Name | Owner
--------+-------------
iamapp | iamappadmin
(1 row)
diam=# \df+ iamapp.boolop
List of functions
-[ RECORD 1 ]-------+-----------------------------
Schema | iamapp
Name | boolop
Result data type | boolean
Argument data types | integer[], iamapp.query_int
Type | func
Volatility | immutable
Parallel | safe
Owner | iamappadmin
Security | invoker
Access privileges |
Language | c
Source code | boolop
Description | boolean operation with array
Export is done using pg_dumpall.
Dest instance 15.4:
pg_pumpall (13.4) changes owner of the extension.
Source instance 13.4:
function boolop is part of extension intarray
diam=# \dx intarray
List of installed extensions
Name | Version | Schema | Description
----------+---------+--------+--------------------------------------------------------------------
intarray | 1.3 | iamapp | functions, operators, and index support for 1-D arrays of integers
(1 row)
diam=# \dn iamapp
List of schemas
Name | Owner
--------+-------------
iamapp | iamappadmin
(1 row)
diam=# \df+ iamapp.boolop
List of functions
-[ RECORD 1 ]-------+-----------------------------
Schema | iamapp
Name | boolop
Result data type | boolean
Argument data types | integer[], iamapp.query_int
Type | func
Volatility | immutable
Parallel | safe
Owner | iamappadmin
Security | invoker
Access privileges |
Language | c
Source code | boolop
Description | boolean operation with array
Export is done using pg_dumpall.
Dest instance 15.4:
After import (psql -a -f )
diam=# \dx intarray
List of installed extensions
Name | Version | Schema | Description
----------+---------+--------+--------------------------------------------------------------------
intarray | 1.5 | iamapp | functions, operators, and index support for 1-D arrays of integers
(1 row)
diam=# \dn iamapp
List of schemas
Name | Owner
--------+-------------
iamapp | iamappadmin
(1 row)
diam=# \dx intarray
List of installed extensions
Name | Version | Schema | Description
----------+---------+--------+--------------------------------------------------------------------
intarray | 1.5 | iamapp | functions, operators, and index support for 1-D arrays of integers
(1 row)
diam=# \dn iamapp
List of schemas
Name | Owner
--------+-------------
iamapp | iamappadmin
(1 row)
diam=# \df+ iamapp.boolop
List of functions
-[ RECORD 1 ]-------+-----------------------------
Schema | iamapp
Name | boolop
Result data type | boolean
Argument data types | integer[], iamapp.query_int
Type | func
Volatility | immutable
Parallel | safe
Owner | postgres
Security | invoker
Access privileges |
Language | c
Source code | boolop
Description | boolean operation with array
Manual says "The user who runs CREATE EXTENSION becomes the owner of the extension".
So pg_dumpall is not aware who ran "CREATE EXTENSION"?
br
Kaido
List of functions
-[ RECORD 1 ]-------+-----------------------------
Schema | iamapp
Name | boolop
Result data type | boolean
Argument data types | integer[], iamapp.query_int
Type | func
Volatility | immutable
Parallel | safe
Owner | postgres
Security | invoker
Access privileges |
Language | c
Source code | boolop
Description | boolean operation with array
Manual says "The user who runs CREATE EXTENSION becomes the owner of the extension".
So pg_dumpall is not aware who ran "CREATE EXTENSION"?
br
Kaido
On Tue, 2024-01-23 at 16:31 +0200, kaido vaikla wrote: > pg_pumpall (13.4) changes owner of the extension. > > [Extension created by user A, dump restored by user B -> Extension objects belong to B] > > Manual says "The user who runs CREATE EXTENSION becomes the owner of the extension". > So pg_dumpall is not aware who ran "CREATE EXTENSION"? The user who runs CREATE EXTENSION is the user who restores the dump, hence the changed ownership of the extension objects. There is no ALTER EXTENSION ... OWNER TO to change the owner to the original user, which is probably what would be needed in this case. This is arguably a bug. Trawling the archives, I found this pertinent thread: https://www.postgresql.org/message-id/flat/4E1F1072.3010300%40enterprisedb.com I looked for the referenced discussion, and all I found was this: https://www.postgresql.org/message-id/flat/21857.1297101968%40sss.pgh.pa.us#e2697a586e2aecbe175d3ce1b7f70bf2 That sounds to me like ALTER EXTENSION ... OWNER TO was originally planned, but never implemented: "BTW, on trying this I notice that pg_dump's default approach to ownership doesn't work because of the lack of an ALTER EXTENSION OWNER TO command. I'm going to go ahead and add extowner to the catalog anyway, because it's easy and I'm convinced we're going to want it later. But I don't feel like writing ALTER EXTENSION OWNER TO right now, so pg_dump will continue its current behavior of creating the extension as the user running the script." Obviously nobody has felt like implementing ALTER EXTENSION ... OWNER TO in the dozen years that followed that statement... This was probably not a real problem for anybody, because traditionally you needed a superuser to run CREATE EXTENSION, and functions are executable by everybody by default, so you normally don't notice a difference. Now that we have trusted extensions that don't require a superuser to create, things might have changed. It would be interesting to know if you have a real problem with the current behavior, which would be an argument in favor of fixing the omission. Yours, Laurenz Albe
Yes, i have a real problem. To keep things clear in database, my design is:
- every application has own schema
- every schema has owner who is not a user postgres
- only schema owner can do DDL's on schema
So if some application needs some extensions, then i give temporary suppersuser privilege to schema owner,
- every application has own schema
- every schema has owner who is not a user postgres
- only schema owner can do DDL's on schema
So if some application needs some extensions, then i give temporary suppersuser privilege to schema owner,
if "create extension" needs it, extensions are installed "with schema" And revoke suppersuser privilege after extension inatall.
I'm not sure, is it my design against postgres concept or not :(.
But in same time, i expect that pg_dumpall will not change ownership or at least gives some error or something.
br
Kaido
But in same time, i expect that pg_dumpall will not change ownership or at least gives some error or something.
br
Kaido
On Tue, 23 Jan 2024 at 17:30, Laurenz Albe <laurenz.albe@cybertec.at> wrote:
On Tue, 2024-01-23 at 16:31 +0200, kaido vaikla wrote:
> pg_pumpall (13.4) changes owner of the extension.
>
> [Extension created by user A, dump restored by user B -> Extension objects belong to B]
>
> Manual says "The user who runs CREATE EXTENSION becomes the owner of the extension".
> So pg_dumpall is not aware who ran "CREATE EXTENSION"?
The user who runs CREATE EXTENSION is the user who restores the dump, hence the
changed ownership of the extension objects.
There is no ALTER EXTENSION ... OWNER TO to change the owner to the original user,
which is probably what would be needed in this case.
This is arguably a bug.
Trawling the archives, I found this pertinent thread:
https://www.postgresql.org/message-id/flat/4E1F1072.3010300%40enterprisedb.com
I looked for the referenced discussion, and all I found was this:
https://www.postgresql.org/message-id/flat/21857.1297101968%40sss.pgh.pa.us#e2697a586e2aecbe175d3ce1b7f70bf2
That sounds to me like ALTER EXTENSION ... OWNER TO was originally planned,
but never implemented:
"BTW, on trying this I notice that pg_dump's default approach to
ownership doesn't work because of the lack of an ALTER EXTENSION
OWNER TO command. I'm going to go ahead and add extowner to the catalog
anyway, because it's easy and I'm convinced we're going to want it
later. But I don't feel like writing ALTER EXTENSION OWNER TO right
now, so pg_dump will continue its current behavior of creating the
extension as the user running the script."
Obviously nobody has felt like implementing ALTER EXTENSION ... OWNER TO
in the dozen years that followed that statement...
This was probably not a real problem for anybody, because traditionally
you needed a superuser to run CREATE EXTENSION, and functions are executable
by everybody by default, so you normally don't notice a difference.
Now that we have trusted extensions that don't require a superuser to
create, things might have changed. It would be interesting to know if you
have a real problem with the current behavior, which would be an argument
in favor of fixing the omission.
Yours,
Laurenz Albe
kaido vaikla <kaido.vaikla@gmail.com> writes:
> So pg_dumpall is not aware who ran "CREATE EXTENSION"?
Yeah, pg_dump makes no effort to restore extensions with the same
owner. This didn't matter back when the feature was designed,
because you had to be superuser to install most interesting
extensions. I suppose we should revisit the choice sometime.
There's no ALTER EXTENSION OWNER command, though, so it would
need to be done in a different way from other object types.
Not sure offhand what the downsides of that would be.
regards, tom lane
kaido vaikla <kaido.vaikla@gmail.com> writes:
> Yes, i have a real problem. To keep things clear in database, my design is:
> - every application has own schema
> - every schema has owner who is not a user postgres
> - only schema owner can do DDL's on schema
> So if some application needs some extensions, then i give temporary
> suppersuser privilege to schema owner,
> if "create extension" needs it, extensions are installed "with schema"
> And revoke suppersuser privilege after extension inatall.
> I'm not sure, is it my design against postgres concept or not :(.
Well, it's certainly creating a problem for pg_dump: the alleged owner
of the extension doesn't have enough privilege to install it. The
easiest way to make pg_dump support this would be to have it issue
something like
SET ROLE extension_owner;
CREATE EXTENSION foo;
RESET ROLE;
but that would fail for you.
regards, tom lane
Tom,
Before export i gave superuser privilege to extension owner.
Problem is not does user have privileges enough, but like you said
"Yeah, pg_dump makes no effort to restore extensions with the same
Before export i gave superuser privilege to extension owner.
Problem is not does user have privileges enough, but like you said
"Yeah, pg_dump makes no effort to restore extensions with the same
owner"
br
Kido
br
Kido
On Tue, 23 Jan 2024 at 18:30, Tom Lane <tgl@sss.pgh.pa.us> wrote:
kaido vaikla <kaido.vaikla@gmail.com> writes:
> Yes, i have a real problem. To keep things clear in database, my design is:
> - every application has own schema
> - every schema has owner who is not a user postgres
> - only schema owner can do DDL's on schema
> So if some application needs some extensions, then i give temporary
> suppersuser privilege to schema owner,
> if "create extension" needs it, extensions are installed "with schema"
> And revoke suppersuser privilege after extension inatall.
> I'm not sure, is it my design against postgres concept or not :(.
Well, it's certainly creating a problem for pg_dump: the alleged owner
of the extension doesn't have enough privilege to install it. The
easiest way to make pg_dump support this would be to have it issue
something like
SET ROLE extension_owner;
CREATE EXTENSION foo;
RESET ROLE;
but that would fail for you.
regards, tom lane
On Tue, 2024-01-23 at 18:01 +0200, kaido vaikla wrote: > Yes, i have a real problem. To keep things clear in database, my design is: > - every application has own schema > - every schema has owner who is not a user postgres > - only schema owner can do DDL's on schema > > So if some application needs some extensions, then i give temporary suppersuser privilege to schema owner, > if "create extension" needs it, extensions are installed "with schema" And revoke suppersuser privilege after extensioninatall. > I'm not sure, is it my design against postgres concept or not :(. > > But in same time, i expect that pg_dumpall will not change ownership or at least gives some error or something. I think your expectation is founded, and the current behavior is surprising. At first, I thought that would be a security problem in combination with trusted extensions, but then the objects from a trusted extension always belong to the bootstrap superuser. So, all extension objects always belong to a superuser, and a change in ownership to a different after a restore won't be a privilege escalation. In practice, it doesn't matter much to which superuser extension objects belong. Your usage pattern sort of breaks that. I think that your practice of temporarily elevating the prospective extension owner to superuser is a questionable one. You end up having extension objects owned by a non-superuser. That probably won't make much difference in most cases, but it could matter for SECURITY DEFINER functions or views that use restricted objects. And if the extension object owner changes after a restore, the behavior could change. I don't really see what you are expecting to gain from your design. Instead of temporarily elevating the schema owner's privileges, why don't you create the extension as superuser right away? (As an aside: you need a superuser to turn sumebody into a superuser. Don't tell me that your application is connecting as superuser...) So while I think that the current behavior is less than ideal, I don't see it as a massive problem that needs to be fixed. What is it that stops working for you after the restore? Perhaps some documentation for the surprising behavior might be in place. Yours, Laurenz Albe
My main point is, if object in database (table, function etc) should not be owned by bootstrap superuser, then avoid it: owner postgres
On Wed, 24 Jan 2024 at 16:13, Laurenz Albe <laurenz.albe@cybertec.at> wrote:
I don't really see what you are expecting to gain from your design.
Instead of temporarily elevating the schema owner's privileges, why
don't you create the extension as superuser right away?
It's quite common that initialization needs more privilege than usage
(for example, as root user #yum install postgresql-server)
(for example, as root user #yum install postgresql-server)
(As an aside: you need a superuser to turn sumebody into a superuser.
Don't tell me that your application is connecting as superuser...)
No,no. vice versa, seems my problem is that i try push out everything from superuser
So while I think that the current behavior is less than ideal, I don't
see it as a massive problem that needs to be fixed. What is it that
stops working for you after the restore?
Currently nothing, but i have tens of pg instances waiting for export-import. And design is same:
schema owner is extension owner and extension is intalled into this application schema.
Why I use it, is because if i have lot of different apps (schemas) with different extensions then overview is better.schema owner is extension owner and extension is intalled into this application schema.
"Default way": public schema and owner postgres for all extension is a big mess.
If this design is against concept of extensions or postgres i will change it in future. Would be nice, if you can point some doc.
But pg_dumpall can't change ownership without any notification i think.
CREATE EXTENSION doc should be change like:
"The user who runs CREATE EXTENSION becomes the owner of the extension until first export-import" ;)
br
Kaido
On Wed, 2024-01-24 at 19:04 +0200, kaido vaikla wrote: > CREATE EXTENSION doc should be change like: > "The user who runs CREATE EXTENSION becomes the owner of the extension until first export-import" ;) Here is a patch that implements something like that. Yours, Laurenz Albe
Вложения
Thnx, at least something.
Especially for them, whose use pg_dumpall as a backup tool.
br
Kaido
Especially for them, whose use pg_dumpall as a backup tool.
br
Kaido
On Mon, 29 Jan 2024 at 09:57, Laurenz Albe <laurenz.albe@cybertec.at> wrote:
On Wed, 2024-01-24 at 19:04 +0200, kaido vaikla wrote:
> CREATE EXTENSION doc should be change like:
> "The user who runs CREATE EXTENSION becomes the owner of the extension until first export-import" ;)
Here is a patch that implements something like that.
Yours,
Laurenz Albe