Skip to content

Make ag_catalog ownership and built-in resolution explicit#2440

Open
jrgemignani wants to merge 1 commit into
apache:masterfrom
jrgemignani:tighten_ag_catalog_ownership
Open

Make ag_catalog ownership and built-in resolution explicit#2440
jrgemignani wants to merge 1 commit into
apache:masterfrom
jrgemignani:tighten_ag_catalog_ownership

Conversation

@jrgemignani

@jrgemignani jrgemignani commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

AGE places all of its objects in the ag_catalog schema. Make the assumptions around that schema explicit so installs and upgrades behave predictably regardless of how a database is provisioned:

  • Ownership-checked install: CREATE EXTENSION age installs into ag_catalog only when that schema does not already exist under a different owner, keeping ownership of AGE's catalog well-defined.
  • Deterministic name resolution: the pg_upgrade helper functions resolve built-ins from pg_catalog first and schema-qualify their format()/hashtext() calls, so their behavior does not depend on what else is defined in ag_catalog.
  • README note describing ag_catalog ownership and the install-time check.

The upgrade script applies the same helper changes so existing installations get them on ALTER EXTENSION UPDATE. Adds an extension_security regression test covering the ownership check and the qualified-call / search_path properties.

Assisted-by: GitHub Copilot (Claude Opus 4.8)

modified: Makefile
modified: README.md
modified: age--1.7.0--y.y.y.sql
new file: regress/expected/extension_security.out
new file: regress/sql/extension_security.sql
modified: sql/age_main.sql
modified: sql/age_pg_upgrade.sql

@jrgemignani
Make ag_catalog ownership and built-in resolution explicit
7ca221f 
AGE places all of its objects in the ag_catalog schema. Make the
assumptions around that schema explicit so installs and upgrades behave
predictably regardless of how a database is provisioned:

- Ownership-checked install: CREATE EXTENSION age installs into
  ag_catalog only when that schema does not already exist under a
  different owner, keeping ownership of AGE's catalog well-defined.
- Deterministic name resolution: the pg_upgrade helper functions resolve
  built-ins from pg_catalog first and schema-qualify their
  format()/hashtext() calls, so their behavior does not depend on what
  else is defined in ag_catalog.
- README note describing ag_catalog ownership and the install-time check.

The upgrade script applies the same helper changes so existing
installations get them on ALTER EXTENSION UPDATE. Adds an
extension_security regression test covering the ownership check and the
qualified-call / search_path properties.

Assisted-by: GitHub Copilot (Claude Opus 4.8)

modified:   Makefile
modified:   README.md
modified:   age--1.7.0--y.y.y.sql
new file:   regress/expected/extension_security.out
new file:   regress/sql/extension_security.sql
modified:   sql/age_main.sql
modified:   sql/age_pg_upgrade.sql
Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes Apache AGE’s assumptions about the ag_catalog schema explicit to improve install/upgrade predictability and harden behavior against search-path object shadowing.

Changes:

  • Add an install-time guard to refuse CREATE EXTENSION age when a pre-existing ag_catalog schema is owned by a different role.
  • Make pg_upgrade helper functions resolve built-ins deterministically by preferring pg_catalog and schema-qualifying format()/hashtext() calls.
  • Add regression coverage for the helper search_path/qualification properties and the ownership-detection logic, plus a README note documenting the new install behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
sql/age_main.sql Adds an install-time ownership guard for ag_catalog.
sql/age_pg_upgrade.sql Prefers pg_catalog in helper search_path and qualifies key built-in calls.
age--1.7.0--y.y.y.sql Applies the same pg_upgrade helper hardening in the extension upgrade script.
regress/sql/extension_security.sql Adds a regression test validating helper proconfig and built-in qualification patterns.
regress/expected/extension_security.out Expected output for the new regression test.
Makefile Registers the new extension_security regression test.
README.md Documents the ag_catalog ownership expectation and install-time refusal behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread sql/age_main.sql
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MuhammadTahaNaveed MuhammadTahaNaveed Awaiting requested review from MuhammadTahaNaveed

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

1.8.0 priority

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jrgemignani