Partitioned table permission question

Tue, 20 Apr 2021 05:00:17 -0700 

Hi hackers,

As I played with the partitioned table with GRANT, I found two questions.
Let's see an example:


CREATE TABLE measurement (
    city_id         int not null,
    logdate         date not null,
    peaktemp        int,
    unitsales       int
) PARTITION BY RANGE (logdate);

CREATE TABLE measurement_y2006m02 PARTITION OF measurement
    FOR VALUES FROM ('2006-02-01') TO ('2006-03-01');

CREATE TABLE measurement_y2006m03 PARTITION OF measurement
    FOR VALUES FROM ('2006-03-01') TO ('2006-04-01');

CREATE USER a;
GRANT SELECT ON measurement TO a;
GRANT INSERT ON measurement TO a;

I created a partitioned table with two leaf tables and only grant SELECT, 
INSERT on the root table to user a.

The first question is:
As a user a, since I don't have permission to read the leaf tables, but select 
from the root will return the leafs data successfully.

postgres=# set role a;
postgres=> explain select * from measurement_y2006m02;
ERROR:  permission denied for table measurement_y2006m02
postgres=> explain select * from measurement;
                                         QUERY PLAN
---------------------------------------------------------------------------------------------
 Append  (cost=0.00..75.50 rows=3700 width=16)
   ->  Seq Scan on measurement_y2006m02 measurement_1  (cost=0.00..28.50 
rows=1850 width=16)
   ->  Seq Scan on measurement_y2006m03 measurement_2  (cost=0.00..28.50 
rows=1850 width=16)
(3 rows)

From the plan, we do scan on the leaf tables without ACL check. And the reason 
is in expand_single_inheritance_child,
we always set childrte->requiredPerms = 0; Seems like we always think the child 
has the same permission with the partitioned table.


For the second question:
As a user a, I'm not allowed to insert any data into leaf tables.
But insert on the partitioned table will make the data go into leaves.

postgres=> insert into measurement_y2006m02 values (1, '2006-02-01', 1, 1);
ERROR:  permission denied for table measurement_y2006m02
postgres=> insert into measurement values (1, '2006-02-01', 1, 1);
INSERT 0 1

It makes me feel strange, we can grant different permission for partition 
tables, but as long as the user
has permission on the partitioned table, it can still see/modify the leaf 
tables which don't have permission.
Can anyone help me understand the behavior?

Reply via email to