| From: | Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Subject: | Re: Role Self-Administration |
| Date: | 2021-10-05 16:38:03 |
| Message-ID: | 7BBD5339-46DA-411D-A8ED-80303DF8D9BA@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On Oct 5, 2021, at 9:23 AM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>
>> - Disallow roles from being able to REVOKE role membership that they
>> didn't GRANT in the first place.
>
> I think that's not quite the right test. For example, if alice and bob
> are superusers and alice grants pg_monitor to doug, bob should be able
> to revoke that grant even though he is not alice.
Additionally, role "alice" might not exist anymore, which would leave the privilege irrevocable. It's helpful to think in terms of role ownership rather than role creation:
superuser
+---> alice
+---> charlie
+---> diane
+---> bob
It makes sense that alice can take ownership of diane and drop charlie, but not that bob can do so. Nor should charlie be able to transfer ownership of diane to alice. Nor should charlie be able to drop himself.
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amul Sul | 2021-10-05 16:41:10 | Re: using an end-of-recovery record in all cases |
| Previous Message | Simon Riggs | 2021-10-05 16:28:33 | Re: Next Steps with Hash Indexes |