On Thu, Jun 30, 2016 at 1:38 PM, Murphy, Kevin <murph...@email.chop.edu>
wrote:

> Is it expected that "grant * on database" grants are dumped only by
> `pg_dumpall -s` and not by `pg_dump -s` or `pg_dumpall -g`?
>
> Some people might assume that to restore a cluster it should be sufficient
> to restore pg_dumpall globals output followed by individual pg_dump output.
> Seemingly, this would not be a good assumption, unless plain `pg_dump`
> actually incorporates these grants even though `pg_dump -s` does not.
> Regardless, something about this situation seems off to me. I'm using 9.5,
> BTW.
>
> I've seen this discussed here:
> https://www.postgresql.org/message-id/E1VYMqi-0001P4-P4%40wrigleys.postgresql.org,
> but the discussion petered out prematurely.
>
>
​I have to agree.  At worse this is a documentation bug but I do think we
have an actual oversight here - although probably not exactly this or the
linked bug report.

Testing this out a bit on 9.5 Ubuntu 14.04 - I believe the last command,
<pg_dump -C -s testdb>, is in error.

​<<SQL​

create user testuser;
create database testdb;
grant create on database testdb to testuser;

$ pg_dumpall
[...]
CREATE ROLE testuser;
ALTER ROLE testuser WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN
NOREPLICATION NOBYPASSRLS;
CREATE DATABASE testdb WITH TEMPLATE = template0 OWNER = vagrant;
GRANT CREATE ON DATABASE testdb TO testuser;
REVOKE ALL ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON SCHEMA public FROM postgres;
GRANT ALL ON SCHEMA public TO postgres;
GRANT ALL ON SCHEMA public TO PUBLIC;
[...]

$ pg_dumpall -g
[...]
CREATE ROLE testuser;
ALTER ROLE testuser WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN
NOREPLICATION NOBYPASSRLS;
-------NO CREATE DATABASE (ok, db definitions are not globals)
-------NO GRANT STATEMENTS (since we don't create the DB it doesn't make
sense to perform grants on it - might not even have the same name when
restored)
REVOKE ALL ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON SCHEMA public FROM postgres;
GRANT ALL ON SCHEMA public TO postgres;
GRANT ALL ON SCHEMA public TO PUBLIC;
[...]

$ pg_dump -s testdb
[...]
-------NO CREATE DATABASE (OK - didn't ask for one)
-------NO GRANT STATEMENTS (I guess, let whatever is presently in place
rule - basically the same as pg_dumpall -g)
REVOKE ALL ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON SCHEMA public FROM postgres;
GRANT ALL ON SCHEMA public TO postgres;
GRANT ALL ON SCHEMA public TO PUBLIC;
[...]

$ pg_dump -C -s testdb
[...]
CREATE DATABASE testdb WITH TEMPLATE = template0 ENCODING = 'UTF8'
LC_COLLATE = 'en_US.UTF-8' LC_CTYPE = 'en_US.UTF-8';
--!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
--NO GRANT STATEMENTS (If we create the DB we should also be instantiating
the GRANTs, like we do in pg_dumpall)
--!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
REVOKE ALL ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON SCHEMA public FROM postgres;
GRANT ALL ON SCHEMA public TO postgres;
GRANT ALL ON SCHEMA public TO PUBLIC;
[...]

SQL

David J.

Reply via email to