PostgreSQL Bugs

Collected from the PG bugs email list.

Bug ID16279
PG Version11.6
OSmacOS, also AWS Aurora
Opened2020-02-26 16:46:18+00
Reported byPhilip Semanchuk
StatusNew

Body of first available message related to this bug follows.

The following bug has been logged on the website:

Bug reference:      16279
Logged by:          Philip Semanchuk
Email address:      (redacted)
PostgreSQL version: 11.6
Operating system:   macOS, also AWS Aurora
Description:        

The doc for pg_buffercache says, "By default use is restricted to superusers
and members of the pg_read_all_stats role. Access may be granted to others
using GRANT." (https://www.postgresql.org/docs/11/pgbuffercache.html)

In my experience, users need to be members of pg_monitor, not
pg_read_all_stats. Here's a demo on Postgres 11.6 installed on my Mac.
(Behavior on AWS Aurora Postgres is the same.) 'a_user' is a user with no
special privileges. This first block of SQL shows that a_user can't read
pg_buffercache, as expected.

a_user $ SELECT
      r.rolname, r.rolsuper, r.rolinherit, r.rolcreaterole,
      r.rolcanlogin, r.rolvaliduntil,
      ARRAY(SELECT b.rolname
            FROM pg_catalog.pg_auth_members m
            JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
            WHERE m.member = r.oid) as memberof
FROM pg_catalog.pg_roles r
WHERE rolname = current_user
;
 rolname | rolsuper | rolinherit | rolcreaterole | rolcanlogin |
rolvaliduntil | memberof
---------+----------+------------+---------------+-------------+---------------+----------
 a_user  | f        | t          | f             | t           |            
  | {}
(1 row)

a_user $
a_user $ select * from pg_buffercache limit 1;
ERROR:  permission denied for view pg_buffercache


In a different session where I'm logged in as superuser, I GRANTed a_user
membership to pg_read_all_stats, but a_user still can't read from
pg_buffercache.

a_user $ SELECT
      r.rolname, r.rolsuper, r.rolinherit, r.rolcreaterole,
      r.rolcanlogin, r.rolvaliduntil,
      ARRAY(SELECT b.rolname
            FROM pg_catalog.pg_auth_members m
            JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
            WHERE m.member = r.oid) as memberof
FROM pg_catalog.pg_roles r
WHERE rolname = current_user
;
 rolname | rolsuper | rolinherit | rolcreaterole | rolcanlogin |
rolvaliduntil |      memberof
---------+----------+------------+---------------+-------------+---------------+---------------------
 a_user  | f        | t          | f             | t           |            
  | {pg_read_all_stats}
(1 row)

a_user $ select * from pg_buffercache limit 1;
ERROR:  permission denied for view pg_buffercache


In my superuser session, I REVOKEd a_user's membership in pg_read_all_stats
and GRANTed membership in pg_monitor, and that enabled access to
pg_buffercache.

a_user $ SELECT
      r.rolname, r.rolsuper, r.rolinherit, r.rolcreaterole,
      r.rolcanlogin, r.rolvaliduntil,
      ARRAY(SELECT b.rolname
            FROM pg_catalog.pg_auth_members m
            JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
            WHERE m.member = r.oid) as memberof
FROM pg_catalog.pg_roles r
WHERE rolname = current_user
;
 rolname | rolsuper | rolinherit | rolcreaterole | rolcanlogin |
rolvaliduntil |   memberof
---------+----------+------------+---------------+-------------+---------------+--------------
 a_user  | f        | t          | f             | t           |            
  | {pg_monitor}
(1 row)

a_user $
a_user $ select * from pg_buffercache limit 1;
 bufferid | relfilenode | reltablespace | reldatabase | relforknumber |
relblocknumber | isdirty | usagecount | pinning_backends
----------+-------------+---------------+-------------+---------------+----------------+---------+------------+------------------
        1 |        1262 |          1664 |           0 |             0 |     
        0 | f       |          5 |                0
(1 row)

a_user $

Messages

DateAuthorSubject
2020-02-26 16:46:18+00PG Bug reporting formBUG #16279: Permissions doc incorrect for pg_buffercache
2020-02-26 17:11:26+00Sergei KornilovRe: BUG #16279: Permissions doc incorrect for pg_buffercache
2020-02-27 21:13:17+00Philip SemanchukRe: BUG #16279: Permissions doc incorrect for pg_buffercache
2020-02-27 21:31:34+00Tom LaneRe: BUG #16279: Permissions doc incorrect for pg_buffercache
2020-02-27 21:39:04+00Philip SemanchukRe: BUG #16279: Permissions doc incorrect for pg_buffercache
2020-02-28 16:47:52+00Tom LaneRe: BUG #16279: Permissions doc incorrect for pg_buffercache