Andres Freund <andres@xxxxxxxxxxx> writes: > On 2023-11-14 15:42:22 -0500, Tom Lane wrote: >> Moreover, reordering the GRANTs is no solution, because who promised that >> the schema owner granted you any permissions? > I'm not quite following - the schema is created in the dump, so the grant is > part of it? Yeah, but the GRANT will restore whatever permissions existed in the source database. If the restoring user isn't super, those permissions don't necessarily grant him access. >> I experimented with making the restoring user be a member with inherit >> of the nosuper_N roles, and indeed I still see the failure above, >> which makes me wonder if the ACL check is being done correctly for >> that specific case. The INHERIT bit ought to let it work. > The check is for nosuper_2 to have permission on the schema ... no, it should be for the user executing the ALTER to have permission. > ... and the check > happens before the grant on the schema. For inherit to help, nosuper_2 would > have to be granted membership to the presumably more privileged user doing the > restore. No, surely the other way? Restoring user must be member of nosuper_2, else the ALTER OWNER won't work either. regards, tom lane
