You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/postgresql/migrate/migration-service/concepts-user-roles-migration-service.md
+51-3Lines changed: 51 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,12 +22,60 @@ The service automatically provides the following built-in capabilities for the A
22
22
- Migration of ownership of all the database objects on your source server to the target server.
23
23
- Migration of permissions of database objects on your source server, such as GRANTS/REVOKES, to the target server.
24
24
25
-
## Limitations
25
+
## Permission differences between Azure Database for PostgreSQL Single server and Flexible server
26
+
This section explores the differences in permissions granted to the **azure_pg_admin** role across single server and flexible server environments.
26
27
27
-
For a list of limitations, visit [known issues and limitations](concepts-known-issues-migration-service.md#limitations-migrating-from-azure-database-for-postgresql-single-server).
28
+
### PG catalog permissions
29
+
Unlike user-created schemas, which organize database objects into logical groups, pg_catalog is a system schema. It houses crucial system-level information, such as details about tables, columns, and other internal bookkeeping data. Essentially, it’s where PostgreSQL stores important metadata.
28
30
29
-
## Related content
31
+
In a single server environment, a user belonging to the azure_pg_admin role is granted select privileges for all pg_catalog tables and views. However, in a flexible server, we restricted privileges for certain tables and views, allowing only the super user to query them.
32
+
33
+
We removed all privileges for non-superusers on the following pg_catalog tables.
34
+
- pg_authid
35
+
36
+
- pg_largeobject
37
+
38
+
- pg_subscription
39
+
40
+
- pg_user_mapping
41
+
42
+
We removed all privileges for non-superusers on the following pg_catalog views.
43
+
- pg_config
44
+
45
+
- pg_file_settings
46
+
47
+
- pg_hba_file_rules
30
48
49
+
- pg_replication_origin_status
50
+
51
+
- pg_shadow
52
+
53
+
Allowing unrestricted access to these system tables and views could lead to unauthorized modifications, accidental deletions, or even security breaches. By restricting access, we're reducing the risk of unintended changes or data exposure.
54
+
55
+
#### What is the impact?
56
+
- If your application is designed to directly query the affected tables and views, it will encounter issues upon migrating to the flexible server. We strongly advise you to refactor your application to avoid direct queries to these system tables.
57
+
58
+
- If you have granted privileges to any users or roles for the affected pg_catalog tables and views, you encounter an error during the migration process. This error will be identified by the following pattern: **"pg_restore error: could not execute query GRANT/REVOKE PRIVILEGES on TABLENAME to username."**
59
+
To resolve this error, it's necessary to revoke the select privileges granted to various users and roles on the pg_catalog tables and views. You can accomplish this by taking the following steps.
60
+
1. Take a pg_dump of the database containing only the schema by executing the following command from a machine with access to your single server.
2. Search for**GRANT** statements associated with the impacted tables and viewsin the dump file. These GRANT statements follow this format.
65
+
```bash
66
+
GRANT <privileges> to pg_catalog.<impacted tablename/viewname> to <username>;
67
+
```
68
+
3. If any such statements exist, ensure to execute the following command on your single server for each GRANT statement.
69
+
```bash
70
+
REVOKE <privileges> to pg_catalog.<impacted tablename/viewname> from <username>;
71
+
```
72
+
73
+
##### Understanding pg_pltemplate deprecation
74
+
Another important consideration is the deprecation of the **pg_pltemplate** system table within the pg_catalog schema by the PostgreSQL community **starting from version 13.** Therefore, if you're migrating to Flexible Server versions 13 and above, and if you have granted permissions to users on the pg_pltemplate table, it is necessary to revoke these permissions before initiating the migration process. You can follow the same steps outlined above and conduct a search for **pg_pltemplate** in Step 2. Failure to do so leads to a failed migration.
75
+
76
+
After completing these steps, you can proceed to initiate a new migration from the single server to the flexible server using the migration tool. You're expected not to encounter permission-related issues during this process.
0 commit comments