-
-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error: Permission denied for sequence #4071
Comments
Neat, and a bit subtle. This is due to a few things coming together:
We could solve this in the It's correct that granting PostgreSQL, for their part, strongly recommend using Note that Newly-created tables in Mathesar won't have this problem, since they use the recommended identity generator style. |
After thinking about it a bit, I suggest we:
I don't really think we should introduce the concept of "sequence permissions". If we update our data sets, this will only happen if they connect to preexisting DBs. The recommendation from the PG docs has been to use the new identity sequence style since PostgreSQL 10. The only reason we had these legacy sequences in our data sets is because they were constructed back when we were still using SQLAlchemy to create and modify tables, and that tool defaults to the legacy sequence style. So far, we haven't seen any feedback indicating that our users are wiring up to preexisting DBs with these legacy sequences, and if they did, I'd expect them to already have some ability to grant permissions on the DB using another client. Perhaps we could offer some guidance in our docs about that. |
|
I think both. We need to make sure they understand what happened, and give them options. The reason is that this is a really specific setup and we can't necessarily guarantee which solution would work for their use case. They may, in some edge cases, want to allow some users to insert into a table as long as they provide their own ID values, while others can pull from the sequence. This would mean they need to have guidance about what privileges are needed for the sequence (honestly, I would imagine a user who has this need would already know about those privileges). For the more common case, we would want to provide guidance about updating their tables to use the newer sequence style.
Perhaps a link from the error message to the docs? We could also just have this in the docs and allow users to find it via searching or google. I think this is likely to be an exceedingly rare problem.
They won't bump into it through the steps Zack and you took after the merge of #4075. See above for ideas about how they'd get help if they do bump into it. Overall, I think "Mathesar doesn't have great support for managing permissions on a sequence style which has been deprecated for 7 years" is a reasonable compromise for the moment. Eventually, of course, we should fully support working with all privileges on all objects in PostgreSQL, but I'd put this legacy sequence style below a number of other things in priority. Edit: This would be a case where it might make sense to encourage error reports from the app as described in the analytics writeup on HackMD. I'd be interested in whether this actually causes a problem for a single user (now that our demo data sets are fixed) |
Ok this gives me a clearer picture of what you're after. Thanks!
I hope you're correct with this prediction. My initial impression was that this problem might not necessarily be rare. It was mostly a hunch, but informed by the following anecdotes and logic:
Anyway... if, after reading my thoughts above, you still feel confident that this problem will, in fact, be exceedingly rare, then I'm keen to trust you on that!
This is a cool idea. I can see some technical challenges in implementing it though.
If we take up this implementation, it would be interesting to talk through these details on a call to hash out an approach. But: instead of trying to recover gracefully from a failed Anyway, I'm probably getting too far into the weeds now, so I'll cut myself off. If this is rare, then fine, let's sleep on this. But if not, I'd be keen to bounce some more ideas around for how to approach it. |
A UI observation worth mentioning, regarding errors: It should be visible in the user testing session video, but during the session I was unable to select the error text as hovering my mouse over the error pop-up/tooltip resulted in the pop-up/tooltip disappearing. |
You raise some good points, @seancolsen . Thanks for spending the time and putting in so much apparent legwork. It seems Django has been using
is rare. The way they'd end up at point (3) is if they've had these sequences, but haven't run into the problem before. I.e., they haven't actually granted Regarding Django, Rails, SQLAlchemy, etc. Many (maybe most) of the ORM or otherwise multi-dialect SQL-speaking tools tend to run your whole app as a single user. In that case, permissions aren't an issue. For example, if a user wires Mathesar up to a Django DB for some kind of lower-level DB admin interface, it seems most likely to me they're going to just log in with the same user that Django uses to connect to the DB. Same for the other tools. It's just my intuition, though, I'm not exactly 100% confident in that assessment. Finally, to reiterate, I do think we should completely solve this sometime (say before the next year is out), since I want to reach something like "feature parity" with PostgreSQL itself w.r.t. privilege wrangling. I just think I have a different assessment of the priority level compared to other concerns (even other privilege-related concerns). |
Ok right on. Makes sense. Thanks @mathemancer! I'm always happy when we identify things to deprioritize! |
In this user testing session, starting at 46:13, we were trying to insert a row into a table and we hit an error that we didn't expect.
This was after we had granted a role all privileges on a table which the role didn't own. To me it smelled of a problem with privileges on sequences.
Here's my hypothesis: Mathesar may not be granting the necessary privileges on PK sequences for users to insert rows. I wasn't able to fully validate this hypothesis though.
I've spent the past 30 minutes educating myself about ownership and granted privileges work for sequences, then then trying to cleanly replicate this same error. But I've been running into what feels like a mess of other behaviors within Mathesar I didn't expect. Unfortunately at this point I need to cut my losses and come back to this another time so that I can move on with higher-priority work. But suffice to say: I think it's rather important to spend some focused time hammering at this situation to pull out specific bugs/improvements.
The text was updated successfully, but these errors were encountered: