'Re: Changed functionality from 14.3 to 15.3'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postgresql-general
Subject:    Re: Changed functionality from 14.3 to 15.3
From:       Michael Corey <michael.corey.ap () nielsen ! com>
Date:       2023-09-22 20:37:53
Message-ID: CAABu8T_aqsd5R8Ej35K8Wmi6Nm7YOxDdHAELT7cPp32OOnbC8g () mail ! gmail ! com
[Download RAW message or body]

I created a clean 14.3 server with everything default on server creation.
Ran the setup script did the test and again I was able to query the data
successfully.  I then decided to create a clean 15.3 server with everything
default.  Ran the setup script did the test and was not able to query the
data.

Interestingly enough I contacted AWS and presented the same issue to them
and they informed me that they could duplicate my exact issue, and said yes
there was a functionality change from 14 to 15, but they did not say if the
change was something they did with their RDS Postgres or was it something
changed in the underlying Postgres build.



On Wed, Sep 20, 2023 at 7:11 PM Erik Wienhold <ewie@ewie.name> wrote:

> On 2023-09-20 17:53 -0400, Michael Corey wrote:
> > To make matters even more strange.  I checked the permissions of
> > rds_superuser in 15 and 14
> >
> > For 14
> > GRANT pg_monitor, pg_signal_backend, rds_password, rds_replication TO
> > rds_superuser WITH ADMIN OPTION;
> >
> > For 15
> > GRANT pg_checkpoint, pg_monitor, *pg_read_all_data*, pg_signal_backend,
> > *pg_write_all_data*, rds_password, rds_replication TO rds_superuser WITH
> > ADMIN OPTION;
> >
> > AWS added these permissions, but based on what they do you would think
> this
> > would allow the SELECTs in 15.
>
> Yes it would if sten_schema would inherit from rds_superuser.  But it
> cannot inherit privileges from rds_superuser (indrect membership through
> object_creator) because object_creator was created with NOINHERIT.  And
> INHERIT applies to direct memberships only.
>
> --
> Erik
>


-- 
Michael Corey

[Attachment #3 (text/html)]

<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">I \
created a clean 14.3 server with everything default on server creation.   Ran the \
setup script did the test and again I was able to query the data successfully.   I \
then decided to create a clean 15.3 server with everything default.   Ran the setup \
script did the test and was not able to query the data.</div><div \
class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div \
class="gmail_default" style="font-family:verdana,sans-serif">Interestingly  enough I \
contacted AWS and presented the same issue to them and they informed me that they \
could duplicate my exact issue, and said yes there was a functionality change from  \
14 to 15, but they did not say if the change was something they did with their RDS \
Postgres or was it something changed in the underlying Postgres build.</div><div \
class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div \
class="gmail_default" style="font-family:verdana,sans-serif"><br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 20, 2023 at \
7:11 PM Erik Wienhold &lt;<a href="mailto:ewie@ewie.name">ewie@ewie.name</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2023-09-20 17:53 \
-0400, Michael Corey wrote:<br> &gt; To make matters even more strange.   I checked \
the permissions of<br> &gt; rds_superuser in 15 and 14<br>
&gt; <br>
&gt; For 14<br>
&gt; GRANT pg_monitor, pg_signal_backend, rds_password, rds_replication TO<br>
&gt; rds_superuser WITH ADMIN OPTION;<br>
&gt; <br>
&gt; For 15<br>
&gt; GRANT pg_checkpoint, pg_monitor, *pg_read_all_data*, pg_signal_backend,<br>
&gt; *pg_write_all_data*, rds_password, rds_replication TO rds_superuser WITH<br>
&gt; ADMIN OPTION;<br>
&gt; <br>
&gt; AWS added these permissions, but based on what they do you would think this<br>
&gt; would allow the SELECTs in 15.<br>
<br>
Yes it would if sten_schema would inherit from rds_superuser.   But it<br>
cannot inherit privileges from rds_superuser (indrect membership through<br>
object_creator) because object_creator was created with NOINHERIT.   And<br>
INHERIT applies to direct memberships only.<br>
<br>
-- <br>
Erik<br>
</blockquote></div><br clear="all"><div><br></div><span \
class="gmail_signature_prefix">-- </span><br><div dir="ltr" \
class="gmail_signature"><div dir="ltr"><font face="comic sans ms, sans-serif">Michael \
Corey</font></div></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic