On Sun, 23 Mar 2025, Adrian Klaver wrote:
On 3/20/25 15:48, Dimitrios Apostolou wrote:* plenty of permission denials for both ALTER OWNER or SET SESSION AUTHORIZATION (depending on command line switches). Both of these require superuser privilege, but in my case this is not really needed. Dbowner has CREATEROLE and is the one who creates all the roles (WITH SET TRUE), and their private schemata in the specific database. Things would work if pg_restore did "SET ROLE" instead of "SET SESSION AUTHORIZATION" to switch user. Is this a straightforward change or there are issues I don't see?If this is --data-only what are the ALTER OWNER and SET SESSION AUTHORIZATION for?
You are probably right, early in my trials I was running pg_restore without --data-only as a non-superuser so it might be that the error message comes from there. Haven't noted the exact command for this error message unfortunately. The point still stands though. The dbowner user is administrator for this database, and has CREATEd the users with the right to SET ROLE as any of them. Those other users own tables in their private schemas. But pg_restore does SET SESSION AUTHORIZATION which requires superuser priv instead of SET ROLE. I wonder what the reasons are for that. Maybe pg_restore could either: - do SET ROLE instead of SET SESSION AUTHORIZATION - temporarily use the --superuser powers just for issuing the ALTER ROLE. Regards, Dimitris
