Comments (7)
I've found out that this error only fires up when I try to delete from a table, which is referenced by another one by a FK constraint.
This is a constraint on a auth.lnk_users_user_roles
table:
CONSTRAINT fk_users FOREIGN KEY (user_guid) REFERENCES auth.ref_users(guid) ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED
Both auth.ref_users
and auth.lnk_users_user_roles
are being audited by pgmemento.
The error fires up when I'm trying to run
DELETE FROM auth.ref_users WHERE guid = '....'
Notice, that error is fired when inserting transaction for a referencing table.
Shouldn't only one record in transaction_log be inserted in this case?
from pgmemento.
Yes, only one row will be inserted, but for a cascading delete another insert will be triggered and omitted (DO NOTHING).
Strange error, indeed. Not sure if it has to do with the deferrable setting. On the other Hand a 42501 error always reads to me as a lack of permissions. Is your superuser also the owner of pgmemento's tables and functions?
from pgmemento.
I've double checked that and also ran this
GRANT ALL PRIVILEGES ON TABLE pgmemento.transaction_log TO postgres;
ALTER TABLE pgmemento.transaction_log OWNER TO postgres;
Still have this [42501] ERROR: permission denied for table transaction_log
thing.
Some side questions:
Why aren't pgmemento functions marked as SECURITY DEFINER
?
Why do triggers return NULL
? I've got some other triggers on logged table, does returned NULL
dismiss them?
from pgmemento.
Ok, I have a reproducible example here:
DROP TABLE IF EXISTS parent CASCADE;
DROP TABLE IF EXISTS child;
DROP ROLE IF EXISTS tbl_owners;
CREATE ROLE tbl_owners;
GRANT tbl_owners TO current_user;
CREATE TABLE parent (
id SERIAL PRIMARY KEY
);
ALTER TABLE parent OWNER TO tbl_owners;
CREATE TABLE child (
id SERIAL PRIMARY KEY,
parent_id INTEGER,
CONSTRAINT fk_parent FOREIGN KEY (parent_id) REFERENCES parent(id) ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED
);
ALTER TABLE child OWNER TO tbl_owners; --THIS LINE CAUSES TROUBLE!!
SELECT pgmemento.create_table_audit('parent', 'public', TRUE);
SELECT pgmemento.create_table_audit('child', 'public', TRUE);
INSERT INTO parent (id) VALUES (1);
INSERT INTO child (parent_id) VALUES (1);
DELETE FROM parent; --BOOM!
If I remove ALTER TABLE child OWNER TO tbl_owners;
then everything works OK.
@FxKu can you please point to a solution?
from pgmemento.
Thanks for creating this example. That will help to narrow down the problem. Looks like the missing security definer is indeed the reason for this, but not sure.
I can fix it next week as I'm currently in vacation. Or you come up with a PR ;)
from pgmemento.
Not sure if adding a security definer is a good move - this can be a security issue then, allowing users to modify audit tables.
I've found a source of this bug: actions of FK are executed by table owner, not current_user
. So the DELETE CASCADE
fired a DELETE
command by tbl_owners
user.
In my case table owner didn't have permissions to select and modify audit tables - so this resulted in permission error.
from pgmemento.
Good to know. Thanks for investigating. Didn't find the time yet.
from pgmemento.
Related Issues (20)
- Function register_audit_table not called (in create_table_audit)?
- Is it possible to use pgmemento.create_table_audit without tracking DDL changes?
- Renaming tables fails on Postgres 14 HOT 1
- Restoring dropped table fails with id sequences
- Cannot create new table that contains a foreign key
- `REFERENCES` constraints on table creation leads to duplicate creation of `pgmemento_audit_id` column HOT 2
- pgmemento.init generates invalid session_info HOT 4
- Full record history between two dates HOT 2
- Installation instructions are broken, what to "make"? HOT 2
- Feature request: start auditing on some columns of table HOT 4
- revert_transaction cannot revert updates with array types HOT 4
- Changing a column multiple times in one transaction breaks restoring HOT 1
- Renaming multiple times in one transaction is not recorded by auditing system HOT 6
- Fix COALESCE on restore
- 0.7.2 update error HOT 3
- Bug: some updates are not tracked when a table is updated via function calls (in the same transaction) HOT 4
- Installing to a different location HOT 2
- Any best practices for frequent bulk import? HOT 2
- Consider using transition tables to improve logging performance HOT 1
- Adding columns to a wide table breaks tracking HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pgmemento.