fix: search path and migration grants #1939
Open
+67
−6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
|
@staaldraad If it helps it looks like you just have to update pg_regress test for pgbouncer Click to view log excerpt2025-11-21T13:26:09.3182288Z test pgaudit ... ok 7 ms
2025-11-21T13:26:09.3182347Z test pgbouncer ... FAILED 12 ms
2025-11-21T13:26:09.3182399Z test pgmq ... ok 17 ms
2025-11-21T13:26:09.3182458Z test pgroonga ... ok 17 ms
2025-11-21T13:26:09.3182514Z test pgrouting ... ok 7 ms
2025-11-21T13:26:09.3182571Z test pgsodium ... ok 5 ms
2025-11-21T13:26:09.3182623Z test pgtap ... ok 6 ms
2025-11-21T13:26:09.3182691Z test plpgsql-check ... ok 7 ms
2025-11-21T13:26:09.3182748Z test postgis ... ok 23 ms
2025-11-21T13:26:09.3182808Z test postgres_fdw ... ok 5 ms
2025-11-21T13:26:09.3182910Z test realtime ... ok 3 ms
2025-11-21T13:26:09.3182966Z test roles ... ok 6 ms
2025-11-21T13:26:09.3183023Z test security ... ok 6 ms
2025-11-21T13:26:09.3183083Z test storage ... ok 9 ms
2025-11-21T13:26:09.3183142Z test vault ... ok 6 ms
2025-11-21T13:26:09.3183201Z test wal2json ... ok 7 ms
2025-11-21T13:26:09.3183258Z test z_15_ext_interface ... ok 322 ms
2025-11-21T13:26:09.3183316Z test z_15_pg_stat_monitor ... ok 9 ms
2025-11-21T13:26:09.3183374Z test z_15_pgjwt ... ok 14 ms
2025-11-21T13:26:09.3183434Z test z_15_pgvector ... ok 23 ms
2025-11-21T13:26:09.3183491Z test z_15_plv8 ... ok 36 ms
2025-11-21T13:26:09.3183543Z test z_15_roles ... ok 12 ms
2025-11-21T13:26:09.3183600Z test z_15_rum ... ok 14 ms
2025-11-21T13:26:09.3183655Z test z_15_timescale ... ok 14 ms
2025-11-21T13:26:09.3183657Z
2025-11-21T13:26:09.3183699Z =======================
2025-11-21T13:26:09.3183739Z 1 of 50 tests failed.
2025-11-21T13:26:09.3183779Z =======================
2025-11-21T13:26:09.3183781Z
2025-11-21T13:26:09.3183870Z The differences that caused some tests to fail can be viewed in the
2025-11-21T13:26:09.3184105Z file "/nix/store/nzvf94rj1mxi76iaf4cg0n0d6im16mfz-run-check-harness-psql-15/regression_output/regression.diffs". A copy of the test summary that you see
2025-11-21T13:26:09.3184294Z above is saved in the file "/nix/store/nzvf94rj1mxi76iaf4cg0n0d6im16mfz-run-check-harness-psql-15/regression_output/regression.out".
2025-11-21T13:26:09.3184360Z
2025-11-21T13:26:09.3184421Z 2025-11-21 13:26:09 [ERROR] pg_regress tests failed
2025-11-21T13:26:09.3184490Z 2025-11-21 13:26:09 [ERROR] An error occurred. Exit code: 1
2025-11-21T13:26:09.3184540Z 2025-11-21 13:26:09 [ERROR] Debug logs:
2025-11-21T13:26:09.3184701Z error: Cannot build '/nix/store/93s9a069j8w3akx4202gpkrcadsrq3cl-run-check-harness-psql-15.drv'.
2025-11-21T13:26:09.3184760Z Reason: builder failed with exit code 1.
2025-11-21T13:26:09.3184800Z Output paths:
2025-11-21T13:26:09.3184911Z /nix/store/nzvf94rj1mxi76iaf4cg0n0d6im16mfz-run-check-harness-psql-15
2025-11-21T13:26:09.3184956Z Last 25 log lines:
2025-11-21T13:26:09.3185018Z > test roles ... ok 6 ms
2025-11-21T13:26:09.3185082Z > test security ... ok 6 ms
2025-11-21T13:26:09.3185140Z > test storage ... ok 9 ms
2025-11-21T13:26:09.3185200Z > test vault ... ok 6 ms
2025-11-21T13:26:09.3185260Z > test wal2json ... ok 7 ms
2025-11-21T13:26:09.3185322Z > test z_15_ext_interface ... ok 322 ms
2025-11-21T13:26:09.3185380Z > test z_15_pg_stat_monitor ... ok 9 ms
2025-11-21T13:26:09.3185440Z > test z_15_pgjwt ... ok 14 ms
2025-11-21T13:26:09.3185496Z > test z_15_pgvector ... ok 23 ms
2025-11-21T13:26:09.3185553Z > test z_15_plv8 ... ok 36 ms
2025-11-21T13:26:09.3185607Z > test z_15_roles ... ok 12 ms
2025-11-21T13:26:09.3185666Z > test z_15_rum ... ok 14 ms
2025-11-21T13:26:09.3185723Z > test z_15_timescale ... ok 14 ms
2025-11-21T13:26:09.3185763Z >
2025-11-21T13:26:09.3185806Z > =======================
2025-11-21T13:26:09.3185850Z > 1 of 50 tests failed.
2025-11-21T13:26:09.3185889Z > =======================
2025-11-21T13:26:09.3185925Z >
2025-11-21T13:26:09.3186010Z > The differences that caused some tests to fail can be viewed in the
2025-11-21T13:26:09.3186291Z > file "/nix/store/nzvf94rj1mxi76iaf4cg0n0d6im16mfz-run-check-harness-psql-15/regression_output/regression.diffs". A copy of the test summary that you see
2025-11-21T13:26:09.3186482Z > above is saved in the file "/nix/store/nzvf94rj1mxi76iaf4cg0n0d6im16mfz-run-check-harness-psql-15/regression_output/regression.out".
2025-11-21T13:26:09.3186520Z >
2025-11-21T13:26:09.3186584Z > 2025-11-21 13:26:09 [ERROR] pg_regress tests failed
2025-11-21T13:26:09.3186653Z > 2025-11-21 13:26:09 [ERROR] An error occurred. Exit code: 1
2025-11-21T13:26:09.3186708Z > 2025-11-21 13:26:09 [ERROR] Debug logs:
2025-11-21T13:26:09.3186751Z For full logs, run:
2025-11-21T13:26:09.3186874Z nix log /nix/store/93s9a069j8w3akx4202gpkrcadsrq3cl-run-check-harness-psql-15.drv
2025-11-21T13:26:09.7114796Z INFO:nix_fast_build:builds: 2, uploads: 0, downloads: 0
2025-11-21T13:26:12.8264095Z post-build-hook: copying 1 paths...
2025-11-21T13:26:12.8266572Z post-build-hook: copying path '/nix/store/7qzjh1gdjkhvbk8193i4dwfjn4sasg0f-nix-shell' to 's3://nix-postgres-artifacts'...
2025-11-21T13:26:13.0558711Z post-build-hook: uploaded 's3://nix-postgres-artifacts/nar/0hqv4c2mgjk1cqxg838p4849nvhfqbd9h07z2127djbi7kgxffyr.nar.xz' (8040 bytes) in 156 ms
2025-11-21T13:26:13.1974668Z post-build-hook: uploaded 's3://nix-postgres-artifacts/7qzjh1gdjkhvbk8193i4dwfjn4sasg0f.narinfo' (9684 bytes) in 141 ms
2025-11-21T13:26:13.2244484Z /nix/store/7qzjh1gdjkhvbk8193i4dwfjn4sasg0f-nix-shell
2025-11-21T13:26:13.2265092Z ERROR:nix_fast_build:BUILD: 28 successes, 3 failuresyou can run |
samrose
force-pushed
the
etienne/sec-599-missing-search-path
branch
from
d2de7b4 to
34414a8
Compare
samrose
reviewed
Nov 24, 2025
Collaborator
|
@staaldraad it's a lot of work, but I recommend creating testing suffix on ansible/vars.yml and building a testing AMI to test this one out. Also @encima might want to know about this PR as he is working on #1572 |
soedirgo
force-pushed
the
etienne/sec-599-missing-search-path
branch
from
87cd7a6 to
50e91ec
Compare
search_path not set on pgbouncer.get_auth and later migrations don't apply permissions correctly.
staaldraad
force-pushed
the
etienne/sec-599-missing-search-path
branch
from
9a81fa8 to
4cdaa6d
Compare
staaldraad
force-pushed
the
etienne/sec-599-missing-search-path
branch
from
4cdaa6d to
b32307c
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
search_path not set on pgbouncer.get_auth and later migrations don't apply permissions correctly.