Re: fixing CREATEROLE
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Mark Dilger <mark.dilger@enterprisedb.com>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2022-11-23T18:11:01Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes: > On Wed, Nov 23, 2022 at 12:36 PM Mark Dilger > <mark.dilger@enterprisedb.com> wrote: >> Yes, this all makes sense, but does it entail that the CREATE ROLE command must behave differently on the basis of a setting? > Well, we certainly don't HAVE to add those new role-level properties; > that's why they are in a separate patch. But I think they add a lot of > useful functionality for a pretty minimal amount of extra code > complexity. I haven't thought about these issues hard enough to form an overall opinion (though I agree that making CREATEROLE less tantamount to superuser would be an improvement). However, I share Mark's discomfort about making these commands act differently depending on context. We learned long ago that allowing GUCs to affect query semantics was a bad idea. Basing query semantics on properties of the issuing role (beyond success-or-permissions-failure) doesn't seem a whole lot different from that. It still means that applications can't just issue command X and expect Y to happen; they have to inquire about context in order to find out that Z might happen instead. That's bad in any case, but it seems especially bad for security-critical behaviors. regards, tom lane
Commits
-
Add new GUC createrole_self_grant.
- e5b8a4c098ad 16.0 landed
-
Restrict the privileges of CREATEROLE users.
- cf5eb37c5ee0 16.0 landed
-
Pass down current user ID to AddRoleMems and DelRoleMems.
- 39cffe95f2c5 16.0 landed
-
Refactor permissions-checking for role grants.
- 25bb03166b16 16.0 landed
-
Improve documentation of the CREATEROLE attibute.
- 0b496bc9881f 11.19 landed
- 1a5ff7be2696 12.14 landed
- 5dac191edf18 13.10 landed
- 1c77873727df 16.0 landed
- 5136c3fb575b 14.7 landed
- aa26980ca081 15.2 landed
-
Make role grant system more consistent with other privileges.
- ce6b672e4455 16.0 cited