Re: Add SPLIT PARTITION/MERGE PARTITIONS commands
Robert Haas <robertmhaas@gmail.com>
Commits
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Adjust errcode in checkPartition()
- d51a5d8e5692 19 (unreleased) landed
-
Fix usage of palloc() in MERGE/SPLIT PARTITION(s) code
- c5ae07a90a0f 19 (unreleased) landed
-
Implement ALTER TABLE ... SPLIT PARTITION ... command
- 4b3d173629f4 19 (unreleased) landed
- 87c21bb9412c 17.0 landed
-
Implement ALTER TABLE ... MERGE PARTITIONS ... command
- f2e4cc427951 19 (unreleased) landed
- 1adf16b8fba4 17.0 landed
-
Calculate agglevelsup correctly when Aggref contains a CTE.
- b0cc0a71e0a0 19 (unreleased) cited
-
Use PqMsg_* macros in applyparallelworker.c.
- 989b2e4d5c95 19 (unreleased) cited
-
Restrict psql meta-commands in plain-text dumps.
- 71ea0d679543 19 (unreleased) cited
-
Ensure we have a snapshot when updating various system catalogs.
- 706054b11b95 18.0 cited
-
Use specific collation where needed in new test
- 17bcf4f54504 18.0 cited
-
Expand virtual generated columns in the planner
- 1e4351af329f 18.0 cited
-
Virtual generated columns
- 83ea6c54025b 18.0 cited
-
Define PG_LOGICAL_DIR for path pg_logical/ in data folder
- c39afc38cfec 18.0 cited
-
Revert support for ALTER TABLE ... MERGE/SPLIT PARTITION(S) commands
- 84f594da3588 17.0 landed
- 3890d90c1508 18.0 landed
-
Avoid repeated table name lookups in createPartitionTable()
- f636ab41aba2 17.0 landed
- 04158e7fa37c 18.0 landed
-
Provide deterministic order for catalog queries in partition_split.sql
- d53a4286d772 17.0 landed
-
Don't copy extended statistics during MERGE/SPLIT partition operations
- fbd4321fd5b4 17.0 landed
-
Fix the name collision detection in MERGE/SPLIT partition operations
- 3a82c689fd1b 17.0 landed
-
Fix regression tests conflict in 3ca43dbbb6
- 2a679ae94e46 17.0 landed
-
Add permission check for MERGE/SPLIT partition operations
- 3ca43dbbb67f 17.0 landed
-
Fix one more portability shortcoming in new test_pg_dump test.
- d12b4ba1bd3e 17.0 cited
-
Inherit parent's AM for partition MERGE/SPLIT operations
- 259c96fa8f78 17.0 landed
-
Add tab completion for partition MERGE/SPLIT operations
- 60ae37a8bc02 17.0 landed
-
Rename tables in tests of partition MERGE/SPLIT operations
- f4fc7cb54b6a 17.0 landed
-
Make new partitions with parent's persistence during MERGE/SPLIT
- fcf80c5d5f0f 17.0 landed
-
Document the way partition MERGE/SPLIT operations create new partitions
- 842c9b27057e 17.0 landed
-
Change the way ATExecMergePartitions() handles the name collision
- 885742b9f88b 17.0 landed
-
Grammar fixes for split/merge partitions code
- 9dfcac8e15ac 17.0 landed
-
Checks for ALTER TABLE ... SPLIT/MERGE PARTITIONS ... commands
- c99ef1811a06 17.0 landed
-
Fix some grammer errors from error messages and codes comments
- df64c81ca9cb 17.0 landed
-
Support TZ and OF format codes in to_timestamp().
- 8ba6fdf905d0 17.0 cited
-
Support identity columns in partitioned tables
- 699586315704 17.0 cited
-
Fix indentation in twophase.c
- 4e465aac36ce 17.0 cited
-
Fix corner-case planner failure for MERGE.
- 326a33a289c7 16.0 cited
-
Doc: fix documentation example for bytea hex output format.
- 4f46f870fa56 16.0 cited
-
Avoid repeated name lookups during table and index DDL.
- 5f173040e324 9.4.0 cited
Hi,
In response to some concerns raised about this fix on the
pgsql-release list today, I spent some time investigating this patch.
Unfortunately, I think there are too many problems here to be
reasonably fixed before release, and I think all of SPLIT/MERGE
PARTITION needs to be reverted.
I focused my investigation on createPartitionTable(), which is a
helper for both SPLIT PARTITION and MERGE PARTITION, and it works by
consing up a CREATE TABLE AS statement and then feeding that back
through
ProcessUtility. I think it's bad design to use such a high-level
facility here; it is unlike what we do elsewhere in tablecmds.c and
opens us up to a variety of problems. The first thing that I
discovered is that this patch does not fix all of the repeated name
lookup problems. There is still this:
tlc->relation =
makeRangeVar(get_namespace_name(RelationGetNamespace(modelRel)),
RelationGetRelationName(modelRel), -1);
And also this:
createStmt->tablespacename =
get_tablespace_name(modelRel->rd_rel->reltablespace);
In both cases, we do a reverse lookup on an OID to get a name which
the CREATE TABLE code will later turn back into an OID. If we don't
get the same value, that's at least a bug and probably a security
vulnerability, and there is no way to be certain that we will get the
same value. The only remedy is to not repeat the lookup in the first
place.
Then I got to looking at this:
tlc->options = CREATE_TABLE_LIKE_ALL &
~(CREATE_TABLE_LIKE_INDEXES | CREATE_TABLE_LIKE_IDENTITY |
CREATE_TABLE_LIKE_STATISTICS);
It's not obvious at first glance that there is a critical problem
here, but there are reasons to be nervous. We're deploying a lot of
machinery here to copy a lot of stuff and, while that's efficient from
a coding perspective, it means that stuff you might not expect can
just kind of happen. For instance:
robert.haas=# \d+
List of relations
Schema | Name | Type | Owner | Persistence |
Access method | Size | Description
--------+------+-------------------+-------------+-------------+---------------+------------+-------------
public | foo | partitioned table | robert.haas | permanent |
| 0 bytes |
public | foo1 | table | robert.haas | permanent | heap
| 8192 bytes |
public | foo2 | table | bob | permanent | heap
| 8192 bytes |
(3 rows)
robert.haas=# alter table foo split partition foo2 into (partition
foo3 for values from (10) to (15), partition foo4 for values from (15)
to (20));
ALTER TABLE
robert.haas=# \d+
List of relations
Schema | Name | Type | Owner | Persistence |
Access method | Size | Description
--------+------+-------------------+-------------+-------------+---------------+------------+-------------
public | foo | partitioned table | robert.haas | permanent |
| 0 bytes |
public | foo1 | table | robert.haas | permanent | heap
| 8192 bytes |
public | foo3 | table | robert.haas | permanent | heap
| 8192 bytes |
public | foo4 | table | robert.haas | permanent | heap
| 8192 bytes |
(4 rows)
I've split a partition owned by bob into two partitions owned by
robert.haas. That's rather surprising. It doesn't work to split a
partition that I don't own (and thus gain access to it) but if the
superuser splits a non-superuser's partition, the superuser ends
upowning the new partitions. I don't know if that's a vulnerability or
just unexpected. However, then I found this, which I'm pretty well
certain is a vulnerability:
robert.haas=# set role bob;
SET
robert.haas=> create table foo (a int, b text) partition by range (a);
CREATE TABLE
robert.haas=> create table foo1 partition of foo for values from (0) to (10);
CREATE TABLE
robert.haas=> create table foo2 partition of foo for values from (10) to (20);
CREATE TABLE
robert.haas=> insert into foo values (11, 'carrots'), (16, 'pineapple');
INSERT 0 2
robert.haas=> create or replace function run_me(integer) returns
integer as $$begin raise notice 'you are running me as %',
current_user; return $1; end$$ language plpgsql immutable;
CREATE FUNCTION
robert.haas=> create index on foo (run_me(a));
NOTICE: you are running me as bob
NOTICE: you are running me as bob
CREATE INDEX
robert.haas=> reset role;
RESET
robert.haas=# alter table foo split partition foo2 into (partition
foo3 for values from (10) to (15), partition foo4 for values from (15)
to (20));
NOTICE: you are running me as robert.haas
NOTICE: you are running me as robert.haas
ALTER TABLE
I think it is very unlikely that the problems mentioned above are the
only ones. They're just what I found in an hour or two of testing.
Even if they were, we're probably too close to release to be rushing
out last minute fixes to multiple unanticipated security problems. But
because of the design that was chosen here, I think there is probably
more stuff here that is not right, some of which is security relevant
and some of which is just a question of whether we're really getting
the behavior that we want. And I don't think we can fix all that
without either a very large number of grotty hacks similar to the one
installed by 04158e7fa37c2dda9c3421ca922d02807b86df19, or a complete
redesign of the feature. I believe the latter is probably a wiser
course of action.
...Robert