Skip to content

Grant extension-owner access to tables, functions in schema repack. #451

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Grant extension-owner access to tables, functions in schema repack. #451

wants to merge 1 commit into from

Conversation

harinath001
Copy link

@harinath001 harinath001 commented Apr 21, 2025
edited
Loading

Context

If PostgreSQL admin allows pg_repack to be trusted extension (by not granting superuser access to the users), then users should be ale to install and run pg_repack on their databases without the intervention of superusers/DBAs.

But today, when we make pg_repack as a trusted extension, superuser has to grant these privileges to the extension owners.

grant all on schema repack to non_superuser;
grant all privileges on all functions in schema repack to non_superuser;
grant all privileges on all tables in schema repack to non_superuser;

otherwise we get this error

ERROR: pg_repack failed with error: ERROR:  permission denied for schema repack
LINE 1: select repack.version(), repack.version_sql()

this is because when the extension is trusted, the schema is owned by install superuser

test_db=> \c test_db nonsuper
You are now connected to database "test_db" as user "nonsuper".
test_db=> create extension pg_repack;
CREATE EXTENSION
test_db=> \dn
      List of schemas
  Name  |       Owner       
--------+-------------------
 public | pg_database_owner
 repack | harinath
(2 rows)

test_db=> \du
                             List of roles
 Role name |                         Attributes                         
-----------+------------------------------------------------------------
 harinath  | Superuser, Create role, Create DB, Replication, Bypass RLS
 nonsuper  | Create DB

test_db=>

Note:

  • This patch should not affect the behavior if the extension is not trusted.
  • This patch will be helpful only on postgresql versions >= 13.

@harinath001 harinath001 force-pushed the trusted_patch branch 2 times, most recently from 6c24873 to 19e14d1 Compare April 21, 2025 19:03
Make extension-owner as the owner of schema repack,
cbfac44 
and grant access to tables, functions in schema repack.

This will ensure that the extension can be installed as trusted extension,
and non-superusers can create and use the extension, without superuser/DBA help.
@harinath001 harinath001 mentioned this pull request Apr 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@harinath001