Skip to content

CREATE INDEX: use the original userid for more ACL checks and fix for It in MPP.#1577

Open
reshke wants to merge 3 commits intoapache:mainfrom
reshke:ace9973867c_and_fix
Open

CREATE INDEX: use the original userid for more ACL checks and fix for It in MPP.#1577
reshke wants to merge 3 commits intoapache:mainfrom
reshke:ace9973867c_and_fix

Conversation

@reshke
Copy link
Contributor

@reshke reshke commented Feb 15, 2026

This PR cherry-pick upstream commit ace9973867c and provides fix for it in MPP. The thing is, newly-added citext test runs OK it utility mode (QE-alone, without CDBDispatch logic involved). In MPP, test does not succeed, resulting in:

reshke=# CREATE UNIQUE INDEX u0rows ON s.x USING btree
  ((s.index_this_expr(y, s.const())) COLLATE s.coll s.citext_pattern_ops)
  WHERE s.index_row_if(y);
ERROR:  permission denied for schema s  (seg0 127.0.1.1:7002 pid=3553830)

The reason is, CdbDispatchUtilityStatement is called before restoring current user id, dispatches session and current user id, which in turn are used in QE to execute permission checking. See https://github.com/apache/cloudberry/blob/main/src/backend/cdb/dispatcher/cdbdisp_query.c#L921-L923 . So permission checks and executed against relation owner and not running (original) user (as intended by ace9973867c).

Second commit in PR shuffles security context reset before CDB utility statement dispatch call.

nmisch and others added 2 commits February 11, 2026 18:36
Commit a117ceb used the original userid
for ACL checks located directly in DefineIndex(), but it still adopted
the table owner userid for more ACL checks than intended.  That broke
dump/reload of indexes that refer to an operator class, collation, or
exclusion operator in a schema other than "public" or "pg_catalog".
Back-patch to v10 (all supported versions), like the earlier commit.

Nathan Bossart and Noah Misch

Discussion: https://postgr.es/m/f8a4105f076544c180a87ef0c4822352@stmuk.bayern.de
@reshke reshke linked an issue Feb 15, 2026 that may be closed by this pull request
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

14.4 -> 14.5 cherry-pick

3 participants