Re: Largeobject Access Controls (r2460)

Kouhei Kaigai <kaigai@ak.jp.nec.com>

From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Takahiro Itagaki <itagaki.takahiro@oss.ntt.co.jp>
Cc: Robert Haas <robertmhaas@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>, Jaime Casanova <jcasanov@systemguards.com.ec>, Greg Smith <greg@2ndquadrant.com>, pgsql-hackers@postgresql.org
Date: 2010-01-21T23:55:06Z
Lists: pgsql-hackers
(2010/01/21 19:42), Takahiro Itagaki wrote:
> 
> KaiGai Kohei<kaigai@ak.jp.nec.com>  wrote:
> 
>>> I'm not sure whether we need to make groups for each owner of large objects.
>>> If I remember right, the primary issue was separating routines for dump
>>> BLOB ACLS from routines for BLOB COMMENTS, right? Why did you make the change?
>>
>> When --use-set-session-authorization is specified, pg_restore tries to
>> change database role of the current session just before creation of
>> database objects to be restored.
>>
>> Ownership of the database objects are recorded in the section header,
>> and it informs pg_restore who should be owner of the objects to be
>> restored in this section.
>>
>> Then, pg_restore can generate ALTER xxx OWNER TO after creation, or
>> SET SESSION AUTHORIZATION before creation in runtime.
>> So, we cannot put creation of largeobjects with different ownership
>> in same section.
>>
>> It is the reason why we have to group largeobjects by database user.
> 
> Ah, I see.
> 
> Then... What happen if we drop or rename roles who have large objects
> during pg_dump? Does the patch still work? It uses pg_get_userbyid().

Indeed, pg_get_userbyid() internally uses SnapshotNow always, then it
can return "unknown (OID=%u)" in this case.

The "username_subquery" should be here, instead.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>