On Tue, 19 May 2020 at 15:31, Pavan Deolasee <pavan.deola...@gmail.com> wrote:
>
> Hi,
>
> I noticed that if a row level policy is defined on an extension
> object, even in the extension creation script, pg_dump dumps a
> separate CREATE POLICY statement for such policies. That makes the
> dump unrestorable because the CREATE EXTENSION and CREATE POLICY then
> conflicts.
>
> Here is a simple example. I just abused the pageinspect contrib module
> to demonstrate the problem.
>
> ```
> diff --git a/contrib/pageinspect/pageinspect--1.5.sql
> b/contrib/pageinspect/pageinspect--1.5.sql
> index 1e40c3c97e..f04d70d1c1 100644
> --- a/contrib/pageinspect/pageinspect--1.5.sql
> +++ b/contrib/pageinspect/pageinspect--1.5.sql
> @@ -277,3 +277,9 @@ CREATE FUNCTION gin_leafpage_items(IN page bytea,
> RETURNS SETOF record
> AS 'MODULE_PATHNAME', 'gin_leafpage_items'
> LANGUAGE C STRICT PARALLEL SAFE;
> +
> +-- sample table
> +CREATE TABLE pf_testtab (a int, b int);
> +-- sample policy
> +CREATE POLICY p1 ON pf_testtab
> +FOR SELECT USING (true);
> ```
>
> If I now take a dump of a database with pageinspect extension created,
> the dump has the following.
>
> ```
>
> --
> -- Name: pageinspect; Type: EXTENSION; Schema: -; Owner:
> --
>
> CREATE EXTENSION IF NOT EXISTS pageinspect WITH SCHEMA public;
>
> --
> -- Name: pf_testtab p1; Type: POLICY; Schema: public; Owner: pavan
> --
>
> CREATE POLICY p1 ON public.pf_testtab FOR SELECT USING (true);
>
> ```
>
> That's a problem. The CREATE POLICY statement fails during restore
> because CREATE EXTENSION already creates the policy.
>
> Are we missing recording dependency on extension for row level
> policies? Or somehow pg_dump should skip dumping those policies?
>
I think we don't support this case as the comment in
checkExtensionMembership() describes:
/*
* In 9.6 and above, mark the member object to have any non-initial ACL,
* policies, and security labels dumped.
*
* Note that any initial ACLs (see pg_init_privs) will be removed when we
* extract the information about the object. We don't provide support for
* initial policies and security labels and it seems unlikely for those to
* ever exist, but we may have to revisit this later.
*
* Prior to 9.6, we do not include any extension member components.
*
* In binary upgrades, we still dump all components of the members
* individually, since the idea is to exactly reproduce the database
* contents rather than replace the extension contents with something
* different.
*/
Regards,
--
Masahiko Sawada http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
