Re: Role Self-Administration

Greetings,

On Tue, Oct 5, 2021 at 12:23 Robert Haas <robertmhaas(at)gmail(dot)com> wrote:

> On Mon, Oct 4, 2021 at 10:57 PM Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > - Disallow roles from being able to REVOKE role membership that they
> > didn't GRANT in the first place.
>
> I think that's not quite the right test. For example, if alice and bob
> are superusers and alice grants pg_monitor to doug, bob should be able
> to revoke that grant even though he is not alice.
>
> I think the rule should be: roles shouldn't be able to REVOKE role
> memberships unless they can become the grantor.

Yes, role membership still equating to “being” that role still holds with
this, even though I didn’t say so explicitly.

But I think maybe if it should even be more general than that and
> apply to all sorts of grants, rather than just roles and role
> memberships: roles shouldn't be able to REVOKE any granted permission
> unless they can become the grantor.

Right, this was covered towards the end of my email, though again evidently
not clearly enough, sorry about that.

For example, if bob grants SELECT on one of his tables to alice, he
> should be able to revoke the grant, too. But if the superuser performs
> the grant, why should bob be able to revoke it? The superuser has
> spoken, and bob shouldn't get to interfere ... unless of course he's
> also a superuser.

Mostly agreed except I’d exclude the explicit “superuser” flag bit and just
say if r1 granted the right, r2 shouldn’t be the one who is allowed to
revoke it until r2 happens to also be a member of r1.

Thanks,

Stephen

>