database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-11-07 19:06:32 +03:00
Code Activity

Fix privilege checks for pg_prewarm() on indexes.

Browse Source 
pg_prewarm() currently checks for SELECT privileges on the target
relation.  However, indexes do not have access rights of their own,
so a role may be denied permission to prewarm an index despite
having the SELECT privilege on its parent table.  This commit fixes
this by locking the parent table before the index (to avoid
deadlocks) and checking for SELECT on the parent table.  Note that
the code is largely borrowed from
amcheck_lock_relation_and_check().

An obvious downside of this change is the extra AccessShareLock on
the parent table during prewarming, but that isn't expected to
cause too much trouble in practice.

Author: Ayush Vatsa <ayushvatsa1810@gmail.com>
Co-authored-by: Nathan Bossart <nathandbossart@gmail.com>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Jeff Davis <pgsql@j-davis.com>
Discussion: https://postgr.es/m/CACX%2BKaMz2ZoOojh0nQ6QNBYx8Ak1Dkoko%3DD4FSb80BYW%2Bo8CHQ%40mail.gmail.com
Backpatch-through: 13
This commit is contained in:
Nathan Bossart
2025-10-17 11:36:50 -05:00
parent f01c4eb4e9
commit a0551bc573
2 changed files with 72 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
contrib/pg_prewarm/t/001_basic.pl
View File

@@ -23,7 +23,9 @@ $node->start;
$node->safe_psql("postgres",
"CREATE EXTENSION pg_prewarm;\n"
. "CREATE TABLE test(c1 int);\n"
. "INSERT INTO test SELECT generate_series(1, 100);");
. "INSERT INTO test SELECT generate_series(1, 100);\n"
. "CREATE INDEX test_idx ON test(c1);\n"
. "CREATE ROLE test_user LOGIN;");
# test read mode
my $result =
@@ -42,6 +44,31 @@ ok( ( $stdout =~ qr/^[1-9][0-9]*$/
or $stderr =~ qr/prefetch is not supported by this build/),
'prefetch mode succeeded');
# test_user should be unable to prewarm table/index without privileges
($cmdret, $stdout, $stderr) =
$node->psql(
"postgres", "SELECT pg_prewarm('test');",
extra_params => [ '--username' => 'test_user' ]);
ok($stderr =~ /permission denied for table test/, 'pg_prewarm failed as expected');
($cmdret, $stdout, $stderr) =
$node->psql(
"postgres", "SELECT pg_prewarm('test_idx');",
extra_params => [ '--username' => 'test_user' ]);
ok($stderr =~ /permission denied for index test_idx/, 'pg_prewarm failed as expected');
# test_user should be able to prewarm table/index with privileges
$node->safe_psql("postgres", "GRANT SELECT ON test TO test_user;");
$result =
$node->safe_psql(
"postgres", "SELECT pg_prewarm('test');",
extra_params => [ '--username' => 'test_user' ]);
like($result, qr/^[1-9][0-9]*$/, 'pg_prewarm succeeded as expected');
$result =
$node->safe_psql(
"postgres", "SELECT pg_prewarm('test_idx');",
extra_params => [ '--username' => 'test_user' ]);
like($result, qr/^[1-9][0-9]*$/, 'pg_prewarm succeeded as expected');
# test autoprewarm_dump_now()
$result = $node->safe_psql("postgres", "SELECT autoprewarm_dump_now();");
like($result, qr/^[1-9][0-9]*$/, 'autoprewarm_dump_now succeeded');