From: | Joshua Brindle <joshua(dot)brindle(at)crunchydata(dot)com> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Joe Conway <mail(at)joeconway(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Bossart, Nathan" <bossartn(at)amazon(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [PATCH v2] use has_privs_for_role for predefined roles |
Date: | 2022-02-08 15:00:10 |
Message-ID: | CAGB+Vh5h29oiq=paMPoz_f8rAOhF0AFkAup6Wo2+td=JJ+8Brw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Feb 8, 2022 at 8:46 AM Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>
> On Tue, Feb 8, 2022 at 6:59 AM Joe Conway <mail(at)joeconway(dot)com> wrote:
> > This is similar to bob's access to the default superuser privilege to
> > read data in someone else's table (must SET ROLE to access that capability).
> >
> > But it is different from bob's access to inherited privileges which are
> > GRANTed:
>
> Yeah. I think right here you've put your finger on what's been bugging
> me about this: it's similar to one thing, and it's different from
> another. To you and Joshua and Stephen, it seems 100% obvious that
> these roles should work like grants of other roles. But I think of
> them as capabilities derived from the superuser account, and so I'm
> sort of tempted to think that they should work the way the superuser
> bit does. And that's why I don't think the fact that they work the
> other way is "just a bug" -- it's one of two possible ways that
> someone could think that it ought to work based on how other things in
> the system actually do work.
>
> I'm not hard stuck on the idea that the current behavior is right, but
> I don't think that we can really say that we've made things fully
> consistent unless we make things like SUPERUSER and BYPASSRLS work the
> same way that you want to make predefined roles work. And probably do
> something about the INHERIT flag too because the current situation
> seems like a hot mess.
I think hot mess is an apt description of the current situation, for
example consider that:
src/backend/catalog/aclchk.c
3931: has_privs_of_role(roleid, ROLE_PG_READ_ALL_DATA))
3943: has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA))
4279: (has_privs_of_role(roleid, ROLE_PG_READ_ALL_DATA) ||
4280: has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA)))
src/backend/storage/ipc/signalfuncs.c
82: if (!has_privs_of_role(GetUserId(), proc->roleId) &&
83: !has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_BACKEND))
src/backend/storage/ipc/procarray.c
3843: if (!has_privs_of_role(GetUserId(), proc->roleId) &&
3844: !has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_BACKEND))
src/backend/tcop/utility.c
943: if (!has_privs_of_role(GetUserId(), ROLE_PG_CHECKPOINTER))
4 predefined roles currently use has_privs_of_role in master.
Further, pg_monitor, as an SQL-only predefined role, also behaves
consistently with the INHERIT rules that other roles do.
In order for SQL-only predefined roles to ignore INHERIT we would need
to hardcode bypasses for them, which IMO seems like the worst possible
solution to the current inconsistency.
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2022-02-08 15:00:41 | Re: libpq async duplicate error results |
Previous Message | Ashutosh Sharma | 2022-02-08 14:57:32 | Re: Synchronizing slots from primary to standby |