Re: CREATEROLE and role ownership hierarchies
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Stephen Frost <sfrost@snowman.net>
Cc: Andrew Dunstan <andrew@dunslane.net>, "Bossart,
Nathan" <bossartn@amazon.com>, Jeff Davis <pgsql@j-davis.com>,
Joshua Brindle <joshua.brindle@crunchydata.com>, Mark Dilger <mark.dilger@enterprisedb.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>,
Shinya Kato <Shinya11.Kato@oss.nttdata.com>
Date: 2022-01-24T21:41:50Z
Lists: pgsql-hackers
On Mon, Jan 24, 2022 at 4:23 PM Stephen Frost <sfrost@snowman.net> wrote: > The idea behind this patch is to enable creation and dropping of roles, which isn’t possible now without being effectively a superuser. > > Forcing owners to also implicitly have all rights of the roles they create is orthogonal to that and an unnecessary change. I just took a look at the first email on this thread and it says this: >>> These patches have been split off the now deprecated monolithic "Delegating superuser tasks to new security roles" thread at [1]. Therefore I think it is pretty clear that the goals of this patch set include being able to delegate superuser tasks to new security roles. And having those tasks be delegated but *work randomly differently* is much less useful. > I am not saying that we would explicitly set all cases to be noninherit or that we would even change the default away from what it is today, only that we should use the existing role system and it’s concept of inherit-vs-noninherit rather than throwing all of that away. INHERIT vs. NOINHERIT is documented to control the behavior of role *membership*. This patch is introducing a new concept of role *ownership*. It's not self-evident that what applies to one case should apply to the other. > Further, being able to require a SET ROLE before running a given operation is certainly a benefit in much the same way that having a user have to sudo before running an operation is. That's a reasonable point of view, but having things work similarly to what happens for a superuser is ALSO a very big benefit. In my opinion, in fact, it is a far larger benefit. -- Robert Haas EDB: http://www.enterprisedb.com
Commits
-
Make role grant system more consistent with other privileges.
- ce6b672e4455 16.0 landed
-
Ensure that pg_auth_members.grantor is always valid.
- 6566133c5f52 16.0 landed
-
Remove the ability of a role to administer itself.
- 79de9842ab03 15.0 landed
-
Add tests of the CREATEROLE attribute
- e9d4001ec592 15.0 landed
-
Replace explicit PIN entries in pg_depend with an OID range test.
- a49d08123599 15.0 cited
-
Shore up ADMIN OPTION restrictions.
- fea164a72a7b 9.4.0 cited
-
Add pg_has_role() family of privilege inquiry functions modeled after the
- f9fd1764615e 8.1.0 cited
-
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion
- 4b2dafcc0b1a 8.0.0 cited