Skip to content

Grant minimum required permissions for non-superuser usage #475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ardentperf wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Grant minimum required permissions for non-superuser usage #475

ardentperf wants to merge 2 commits into from

Conversation

@ardentperf
Copy link

@ardentperf ardentperf commented Dec 16, 2025
edited
Loading

Version 1.5.2 of pg_repack allowed non-superusers to repack their own tables by updating privilege checks in several backend functions (PR #431). This capability is important for environments where platform teams manage postgres installation and upgrades, but non-superusers directly manage their own schemas and tables including repacks. However version 1.5.2 did not grant the actual privileges to run pg_repack to non-superusers. This change adds the missing grants and allows table owners to use pg_repack with --no-superuser-check. This also adds a successful non-superuser test case, which was missing before.

Importantly, table ownership permissions still prevent users from accessing intermediate repack data and log tables of other users. (cf https://github.com/ardentperf/pg_repack_isolation/blob/main/test_multiuser_isolation.log )

@ardentperf
Grant minimum required permissions to PUBLIC for non-superuser usage
e13d0f2 
These grants allow table owners to use pg_repack with
--no-superuser-check. Importantly, table ownership permissions still
prevent users from accessing intermediate repack data and log tables of
other users.
@ardentperf
Add successful non-superuser pg_repack test case
18133f7 
Replace repack schema permission grants with a test that creates
a user-owned table and verifies pg_repack works for non-superuser
with --no-superuser-check flag.
@za-arthur
Copy link
Collaborator

za-arthur commented Dec 22, 2025

Thank you @ardentperf,

Would it make sense to grant permissions only to pg_maintain role instead of broad public? Although this would work only for Postgres 17+ I don't think it makes sense to grant access to everybody.

Moreover we could allow in pg_repack to repack to those who has pg_maintain privileges, in addition to owners.

@za-arthur
Copy link
Collaborator

za-arthur commented Dec 22, 2025

There is a relevant PR #451

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ardentperf @za-arthur