Re: role self-revocation
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
Cc: "David G. Johnston" <david.g.johnston@gmail.com>,
Stephen Frost <sfrost@snowman.net>, Joshua Brindle <joshua.brindle@crunchydata.com>,
Mark Dilger <mark.dilger@enterprisedb.com>, Andrew Dunstan <andrew@dunslane.net>,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2022-03-10T19:22:05Z
Lists: pgsql-hackers
On Thu, Mar 10, 2022 at 2:05 PM Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > On 09.03.22 14:02, Robert Haas wrote: > > On Wed, Mar 9, 2022 at 7:55 AM Peter Eisentraut > > <peter.eisentraut@enterprisedb.com> wrote: > >> Do we have subtractive permissions today? > > > > Not in the GRANT/REVOKE sense, I think, but you can put a user in a > > group and then mention that group in pg_hba.conf. And that line might > > be "reject" or whatever. > > Well, you can always build an external system that looks at roles and > does nonsensical things with it. But the privilege system itself seems > to be additive only. Personally, I agree with the argument that there > should not be any subtractive permissions. The mental model where > permissions are sort of keys to doors or boxes just doesn't work for that. I mean, I didn't design pg_hba.conf, but I think it's part of the database doing a reasonable thing, not an external system doing a nonsensical thing. I am not sure that I (or anyone) would endorse a system where you can say something like GRANT NOT SELECT ON TABLE foo TO bar, essentially putting a negative ACL into the system dictating that, regardless of any other grants that may exist, foo should not be able to SELECT from that table. But I think it's reasonable to use groups as a way of referencing a defined collection of users for some purpose. The pg_hba.conf thing is an example of that. You put all the users that you want to be treated in a certain way for authentication purposes into a group, and then you mention the group in the file, and it just works. I don't find that an unreasonable design at all. We could've created some other kind of grouping mechanism for such purposes that is separate from the role system, but we didn't choose to do that. I don't know if that was the absolute best possible decision or not, but it doesn't seem like an especially bad choice. -- Robert Haas EDB: http://www.enterprisedb.com
Commits
-
Make role grant system more consistent with other privileges.
- ce6b672e4455 16.0 landed
-
Ensure that pg_auth_members.grantor is always valid.
- 6566133c5f52 16.0 landed
-
Remove the ability of a role to administer itself.
- 79de9842ab03 15.0 landed
-
Add tests of the CREATEROLE attribute
- e9d4001ec592 15.0 landed
-
Replace explicit PIN entries in pg_depend with an OID range test.
- a49d08123599 15.0 cited
-
Shore up ADMIN OPTION restrictions.
- fea164a72a7b 9.4.0 cited
-
Add pg_has_role() family of privilege inquiry functions modeled after the
- f9fd1764615e 8.1.0 cited
-
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion
- 4b2dafcc0b1a 8.0.0 cited