Re: Proposal: Role Sandboxing for Secure Impersonation

Michał Kłeczek <michal@kleczek.org>

From: Michał Kłeczek <michal@kleczek.org>
To: Eric Hanson <eric@aquameta.com>
Cc: Wolfgang Walther <walther@technowledgy.de>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2024-12-04T19:49:36Z
Lists: pgsql-hackers

> On 4 Dec 2024, at 17:13, Eric Hanson <eric@aquameta.com> wrote:
> 
> On Mon, Dec 2, 2024 at 10:31 AM Wolfgang Walther <walther@technowledgy.de <mailto:walther@technowledgy.de>> wrote:
>> Eric Hanson:
>> > a) Transaction ("local") Sandbox:
>> > - SET LOCAL ROLE alice NO RESET;
>> > - SET LOCAL ROLE alice WITHOUT RESET;
[snip]
>> > c) "Guarded" Transaction/Session
>> > - SET [LOCAL] ROLE alice GUARDED BY reset_token;
>> > - RESET ROLE WITH TOKEN reset_token;

These are preferable options for PostgREST (at least as long as JWT based impersonation is implemented in Postgres).

>> > 
>> > Guarded sandboxes are nice because the session can also exit the sandbox 
>> > if it has the token.
>> d) SET [LOCAL] ROLE alice WITH <password>;
>> 

PostgREST does not know alice's password as it performs JWT based authentication.

Regards

—
Michal