Re: use has_privs_of_role() for pg_hba.conf
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Nathan Bossart <nathandbossart@gmail.com>
Cc: pgsql-hackers@postgresql.org
Date: 2022-10-07T11:59:08Z
Lists: pgsql-hackers
On Fri, Apr 1, 2022 at 6:07 PM Nathan Bossart <nathandbossart@gmail.com> wrote: > > 6198420 ensured that has_privs_of_role() is used for predefined roles, > which means that the role inheritance hierarchy is checked instead of mere > role membership. However, inheritance is still not respected for > pg_hba.conf. Specifically, "samerole", "samegroup", and "+" still use > is_member_of_role_nosuper(). > > The attached patch introduces has_privs_of_role_nosuper() and uses it for > the aforementioned pg_hba.conf functionality. I think this is desirable > for consistency. If a role_a has membership in role_b but none of its > privileges (i.e., NOINHERIT), does it make sense that role_a should match > +role_b in pg_hba.conf? It is true that role_a could always "SET ROLE > role_b", and with this change, the user won't even have the ability to log > in to run SET ROLE. But I'm not sure if that's a strong enough argument > for deviating from the standard role privilege checks. I hadn't noticed this thread before. I'm not sure whether this is properly considered a privilege check. It could even be an anti-privilege, if the pg_hba.conf line in question is maked "reject". I'm not taking the position that what this patch does is wrong, but I *am* taking the position that it's a judgement call what the correct behavior is here. -- Robert Haas EDB: http://www.enterprisedb.com
Commits
-
Add TAP tests for role membership in pg_hba.conf
- 8432a815feb8 16.0 landed