Skip site navigation (1) Skip section navigation (2)

Re: [PATCHES] Users/Groups -> Roles

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: [PATCHES] Users/Groups -> Roles
Date: 2005-06-29 18:36:51
Message-ID: 20050629183651.GY24207@ns.snowman.net (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> I notice that AddRoleMems/DelRoleMems assume that ADMIN OPTION is not
> inherited indirectly; that is it must be granted directly to you.
> This seems wrong; SQL99 has under <privileges>
> 
>         19) B has the WITH ADMIN OPTION on a role if a role authorization
>             descriptor identifies the role as granted to B WITH ADMIN OPTION
>             or a role authorization descriptor identifies it as granted WITH
>             ADMIN OPTION to another applicable role for B.
> 
> and in the Access Rules for <grant role statement>
> 
>          1) Every role identified by <role granted> shall be contained
>             in the applicable roles for A and the corresponding role
>             authorization descriptors shall specify WITH ADMIN OPTION.
> 
> I can't see any support in the spec for the idea that WITH ADMIN OPTION
> doesn't flow through role memberships in the same way as ordinary
> membership; can you quote someplace that implies this?

Hrm, no, sorry, I just interpreted the 'Access Rules' line for <grant
role statement> differently.  That is to say:


  1) Every role identified by <role granted> shall be contained
     (Alright, all the roles which you're granting, right)

     in the applicable roles for A and the corresponding role
     (A must be in all the roles which are being granted)

     authorization descriptors shall specify WITH ADMIN OPTION.
     (the grants to A for those rules specify ADMIN OPTION)

This came across to me as meaning "there must exist an authorization
descriptor such that the granted-role equals <role granted>, the grantee
is A and WITH ADMIN OPTION is set".  That could only be true if the
grant was done explicitly.  Reading from 19 above (which I don't recall
seeing before, or at least not reading very carefully) I think you're
right.  Either way is fine with me.

	Thanks,

		Stephen

In response to

pgsql-hackers by date

Next:From: Josh BerkusDate: 2005-06-29 18:37:15
Subject: Checkpoint cost, looks like it is WAL/CRC
Previous:From: Pavel StehuleDate: 2005-06-29 18:36:37
Subject: Re: Proposal: associative arrays for plpgsql (concept)

pgsql-patches by date

Next:From: Stephen FrostDate: 2005-06-29 19:43:54
Subject: Re: Open items
Previous:From: Tom LaneDate: 2005-06-29 17:40:20
Subject: Re: [PATCHES] Users/Groups -> Roles

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group