Skip to content

Missing grants when object owner changes and former owner has an explicit ACL entry #173

Closed
#174
Closed
Missing grants when object owner changes and former owner has an explicit ACL entry#173
#174
Labels
bugSomething isn't working
Milestone
v1.0.18
@DobryDobry

Description

@DobryDobry
DobryDobry
opened on Apr 24, 2026

When an object's owner changes between the FROM and TO databases, PGC omits GRANT statements for the former owner, even if the former owner has an explicit ACL entry in the TO database.

This affects all object types that support ownership and ACL.

Example:

FROM database:

DO $$ BEGIN
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'old_owner') THEN
    CREATE ROLE old_owner WITH LOGIN PASSWORD 'old_owner';
  END IF;
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'new_owner') THEN
    CREATE ROLE new_owner WITH LOGIN PASSWORD 'new_owner';
  END IF;
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'app_user') THEN
    CREATE ROLE app_user WITH LOGIN PASSWORD 'app_user';
  END IF;
END $$;

CREATE SCHEMA billing AUTHORIZATION old_owner;

CREATE TABLE billing.invoice (
    id integer PRIMARY KEY
);
ALTER TABLE billing.invoice OWNER TO old_owner;

TO database:

DO $$ BEGIN
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'old_owner') THEN
    CREATE ROLE old_owner WITH LOGIN PASSWORD 'old_owner';
  END IF;
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'new_owner') THEN
    CREATE ROLE new_owner WITH LOGIN PASSWORD 'new_owner';
  END IF;
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'app_user') THEN
    CREATE ROLE app_user WITH LOGIN PASSWORD 'app_user';
  END IF;
END $$;

CREATE SCHEMA billing;
ALTER SCHEMA billing OWNER TO new_owner;
GRANT USAGE, CREATE ON SCHEMA billing TO old_owner;
GRANT USAGE ON SCHEMA billing TO app_user;

CREATE TABLE billing.invoice (
    id integer PRIMARY KEY
);
ALTER TABLE billing.invoice OWNER TO new_owner;
GRANT SELECT, INSERT ON TABLE billing.invoice TO old_owner;
GRANT SELECT ON TABLE billing.invoice TO app_user;

Generated script:

ALTER SCHEMA billing OWNER TO new_owner;
GRANT USAGE ON SCHEMA billing TO app_user;
ALTER TABLE billing.invoice OWNER TO new_owner;
GRANT SELECT ON TABLE billing.invoice TO app_user;

-- GRANT for old_owner on schema is missing
-- GRANT for old_owner on table is missing

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions