Re: [PATCH v2] use has_privs_for_role for predefined roles
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Joshua Brindle <joshua.brindle@crunchydata.com>
Cc: Robert Haas <robertmhaas@gmail.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2021-11-08T20:44:50Z
Lists: pgsql-hackers
Greetings, * Joshua Brindle (joshua.brindle@crunchydata.com) wrote: > On Wed, Oct 27, 2021 at 5:20 PM Joshua Brindle <joshua.brindle@crunchydata.com> wrote: > > On Wed, Oct 27, 2021 at 5:16 PM Robert Haas <robertmhaas@gmail.com> wrote: > > > On Wed, Oct 27, 2021 at 5:14 PM Joshua Brindle > > > <joshua.brindle@crunchydata.com> wrote: > > > > Attached is an updated version of the patch to replace > > > > is_member_of_role with has_privs_for_role for predefined roles. It > > > > does not remove is_member_of_role from acl.h but it does add a warning > > > > not to use that function for privilege checking. > > > > > > > > Please consider this for the upcoming commitfest. > > > > > > I am not sure I understand what the advantage of this is supposed to be. > > > > Pre-defined roles currently do not operate the same way other roles do > > with respect to inheritance. The patchfile has an explanation and > > examples, I wasn't sure if that needed to be repeated in the email or > > not. > > And FWIW several predefined role patches on the list currently > correctly use has_privs_for_role rather than is_memver_of_role so this > brings the older roles to be consistent with the newer ones being > proposed. Right, we really should be consistent here and we're not and that's not a good thing. Further, if you're logged in as an unprivileged role and expect to not see things that you shouldn't, then it's not good for that to end up happening because you've been GRANT'd a more privileged, but noinherit, role that was given some predefined roles. This doesn't end up being an actual security issue as you could just SET ROLE to that more privileged role, so it's not that you couldn't see that data, just that you should have had to SET ROLE to do so. Reviewing the actual patch, it generally looks good to me except that you missed updating this comment: Superusers or members of pg_read_all_stats members are allowed Thanks, Stephen
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Fix a bug in roles_is_member_of.
- 0101f770a05b 16.0 landed
-
docs: Fix up some out-of-date references to INHERIT/NOINHERIT.
- 620ac285483f 16.0 landed
-
Allow grant-level control of role inheritance behavior.
- e3ce2de09d81 16.0 landed
-
Make role grant system more consistent with other privileges.
- ce6b672e4455 16.0 cited
-
Document basebackup_to_shell.required_role.
- 26a0c025e233 15.0 landed