Skip to content

Comments

CREATE INDEX: use the original userid for more ACL checks and fix for It in MPP.#1577

Merged
reshke merged 2 commits intoapache:mainfrom
reshke:ace9973867c_and_fix
Feb 21, 2026
Merged

CREATE INDEX: use the original userid for more ACL checks and fix for It in MPP.#1577
reshke merged 2 commits intoapache:mainfrom
reshke:ace9973867c_and_fix

Conversation

@reshke
Copy link
Contributor

@reshke reshke commented Feb 15, 2026
edited
Loading

This PR cherry-pick upstream commit ace9973867c and provides fix for it in MPP. The thing is, newly-added citext test runs OK it utility mode (QE-alone, without CDBDispatch logic involved). In MPP, test does not succeed, resulting in:

reshke=# CREATE UNIQUE INDEX u0rows ON s.x USING btree
  ((s.index_this_expr(y, s.const())) COLLATE s.coll s.citext_pattern_ops)
  WHERE s.index_row_if(y);
ERROR:  permission denied for schema s  (seg0 127.0.1.1:7002 pid=3553830)

The reason is, CdbDispatchUtilityStatement is called before restoring current user id, dispatches session and current user id, which in turn are used in QE to execute permission checking. See https://github.com/apache/cloudberry/blob/main/src/backend/cdb/dispatcher/cdbdisp_query.c#L921-L923 . So permission checks and executed against relation owner and not running (original) user (as intended by ace9973867c).

Second commit in PR shuffles security context reset before CDB utility statement dispatch call.

@reshke reshke mentioned this pull request Feb 15, 2026
Merged
@reshke reshke linked an issue Feb 15, 2026 that may be closed by this pull request
14.4 -> 14.5 cherry-pick #1566
Closed
@reshke reshke mentioned this pull request Feb 17, 2026
Open
12 tasks
@reshke reshke requested a review from avamingli February 20, 2026 08:20
@reshke reshke force-pushed the ace9973867c_and_fix branch from 4a0970f to 019f4f2 Compare February 20, 2026 08:32
avamingli
avamingli approved these changes Feb 21, 2026
View reviewed changes
Copy link
Contributor

@avamingli avamingli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM.

nmisch and others added 2 commits February 21, 2026 19:19
@nmisch @avamingli
CREATE INDEX: use the original userid for more ACL checks.
9ac2ccb 
Commit a117ceb used the original userid
for ACL checks located directly in DefineIndex(), but it still adopted
the table owner userid for more ACL checks than intended.  That broke
dump/reload of indexes that refer to an operator class, collation, or
exclusion operator in a schema other than "public" or "pg_catalog".
Back-patch to v10 (all supported versions), like the earlier commit.

Nathan Bossart and Noah Misch

Discussion: https://postgr.es/m/f8a4105f076544c180a87ef0c4822352@stmuk.bayern.de
@reshke @avamingli
Fix for ace9973867c to work in MPP
029e1ad
@reshke reshke merged commit 050d370 into apache:main Feb 21, 2026
40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@x4m x4m x4m approved these changes

@avamingli avamingli avamingli approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

14.4 -> 14.5 cherry-pick

4 participants

@reshke @x4m @avamingli @nmisch