]> git.ipfire.org Git - thirdparty/postgresql.git/commitdiff
Add hints for sequence synchronization permission warnings
authorFujii Masao <fujii@postgresql.org>
Wed, 8 Jul 2026 09:16:38 +0000 (18:16 +0900)
committerFujii Masao <fujii@postgresql.org>
Wed, 8 Jul 2026 09:17:00 +0000 (18:17 +0900)
Sequence synchronization reports insufficient privileges on publisher
and subscriber sequences, but the warnings do not indicate which role
needs which privilege. This makes common configuration mistakes harder
to diagnose.

Add HINT messages for these warnings. Publisher-side warnings suggest
granting SELECT to the role used for the replication connection.
Subscriber-side warnings suggest granting UPDATE to the subscription
owner when run_as_owner is enabled. Otherwise, the worker runs as the
sequence owner, so no useful GRANT hint can be provided.

Suggested-by : Amit Kapila <amit.kapila16@gmail.com>
Author: Fujii Masao <masao.fujii@gmail.com>
Reviewed-by: Amit Kapila <amit.kapila16@gmail.com>
Reviewed-by: Bharath Rupireddy <bharath.rupireddyforpostgres@gmail.com>
Discussion: https://postgr.es/m/CAA4eK1JOo0aJRhFHNWpj3hMwaTtNOopY34f1Lh_QD=z=+DrzWQ@mail.gmail.com
Backpatch-through: 19

doc/src/sgml/logical-replication.sgml
src/backend/replication/logical/sequencesync.c

index 5befefd9c5af0e81ffcc5c14e67792396ecb9e6f..d7d75b7c9a506f7269f5ffa3429e4e88c718990b 100644 (file)
@@ -2542,9 +2542,10 @@ CONTEXT:  processing remote data for replication origin "pg_16395" during "INSER
   </para>
 
   <para>
-   In order to be able to copy the initial table or sequence data, the role
-   used for the replication connection must have the <literal>SELECT</literal>
-   privilege on a published table or sequence (or be a superuser).
+   In order to be able to copy the initial table data or synchronize
+   sequences, the role used for the replication connection must have the
+   <literal>SELECT</literal> privilege on a published table or sequence (or be
+   a superuser).
   </para>
 
   <para>
@@ -2611,6 +2612,13 @@ CONTEXT:  processing remote data for replication origin "pg_16395" during "INSER
    security within the database is of no concern.
   </para>
 
+  <para>
+   When synchronizing sequences with
+   <literal>run_as_owner = true</literal>, the subscription owner similarly
+   needs <literal>UPDATE</literal> privilege on the target sequence and does
+   not need privileges to <literal>SET ROLE</literal> to the sequence owner.
+  </para>
+
   <para>
    On the publisher, privileges are only checked once at the start of a
    replication connection and are not re-checked as each change record is read.
index f47f962c7db48c06cfe21f6fe90a45b6e43f7bf5..770fa5de10b8305a0f64a0344172ecb6ae1ab32d 100644 (file)
@@ -201,12 +201,26 @@ report_sequence_errors(List *mismatched_seqs_idx,
        if (sub_insuffperm_seqs_idx)
        {
                get_sequences_string(sub_insuffperm_seqs_idx, &seqstr);
+
+               /*
+                * With run_as_owner enabled, sequence synchronization runs as the
+                * subscription owner, so a missing UPDATE privilege should be granted
+                * to that role. Otherwise, the worker switches to the sequence owner
+                * before checking privileges, so no useful GRANT hint can be
+                * provided.
+                */
                ereport(WARNING,
                                errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
                                errmsg_plural("insufficient privileges on subscriber sequence (%s)",
                                                          "insufficient privileges on subscriber sequences (%s)",
                                                          list_length(sub_insuffperm_seqs_idx),
-                                                         seqstr.data));
+                                                         seqstr.data),
+                               MySubscription->runasowner ?
+                               errhint_plural("Grant UPDATE on the sequence to the subscription "
+                                                          "owner on the subscriber.",
+                                                          "Grant UPDATE on the sequences to the subscription "
+                                                          "owner on the subscriber.",
+                                                          list_length(sub_insuffperm_seqs_idx)) : 0);
        }
 
        if (pub_insuffperm_seqs_idx)
@@ -217,7 +231,12 @@ report_sequence_errors(List *mismatched_seqs_idx,
                                errmsg_plural("insufficient privileges on publisher sequence (%s)",
                                                          "insufficient privileges on publisher sequences (%s)",
                                                          list_length(pub_insuffperm_seqs_idx),
-                                                         seqstr.data));
+                                                         seqstr.data),
+                               errhint_plural("Grant SELECT on the sequence to the role used for "
+                                                          "the replication connection on the publisher.",
+                                                          "Grant SELECT on the sequences to the role used for "
+                                                          "the replication connection on the publisher.",
+                                                          list_length(pub_insuffperm_seqs_idx)));
        }
 
        if (missing_seqs_idx)