Re: Largeobject Access Controls (r2460)

Takahiro Itagaki <itagaki.takahiro@oss.ntt.co.jp>

From: Takahiro Itagaki <itagaki.takahiro@oss.ntt.co.jp>
To: KaiGai Kohei <kaigai@ak.jp.nec.com>
Cc: Robert Haas <robertmhaas@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>, Jaime Casanova <jcasanov@systemguards.com.ec>, Greg Smith <greg@2ndquadrant.com>, pgsql-hackers@postgresql.org
Date: 2010-01-21T10:42:30Z
Lists: pgsql-hackers
KaiGai Kohei <kaigai@ak.jp.nec.com> wrote:

> > I'm not sure whether we need to make groups for each owner of large objects.
> > If I remember right, the primary issue was separating routines for dump
> > BLOB ACLS from routines for BLOB COMMENTS, right? Why did you make the change?
> 
> When --use-set-session-authorization is specified, pg_restore tries to
> change database role of the current session just before creation of
> database objects to be restored.
> 
> Ownership of the database objects are recorded in the section header,
> and it informs pg_restore who should be owner of the objects to be
> restored in this section.
> 
> Then, pg_restore can generate ALTER xxx OWNER TO after creation, or
> SET SESSION AUTHORIZATION before creation in runtime.
> So, we cannot put creation of largeobjects with different ownership
> in same section.
> 
> It is the reason why we have to group largeobjects by database user.

Ah, I see.

Then... What happen if we drop or rename roles who have large objects
during pg_dump? Does the patch still work? It uses pg_get_userbyid().

Regards,
---
Takahiro Itagaki
NTT Open Source Software Center