Re: use has_privs_of_role() for pg_hba.conf

Joshua Brindle <joshua.brindle@crunchydata.com>

From: Joshua Brindle <joshua.brindle@crunchydata.com>
To: Nathan Bossart <nathandbossart@gmail.com>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>, Joe Conway <mail@joeconway.com>
Date: 2022-04-04T13:36:13Z
Lists: pgsql-hackers
On Fri, Apr 1, 2022 at 6:06 PM Nathan Bossart <nathandbossart@gmail.com> wrote:
>
> Hi hackers,
>
> 6198420 ensured that has_privs_of_role() is used for predefined roles,
> which means that the role inheritance hierarchy is checked instead of mere
> role membership.  However, inheritance is still not respected for
> pg_hba.conf.  Specifically, "samerole", "samegroup", and "+" still use
> is_member_of_role_nosuper().
>
> The attached patch introduces has_privs_of_role_nosuper() and uses it for
> the aforementioned pg_hba.conf functionality.  I think this is desirable
> for consistency.  If a role_a has membership in role_b but none of its
> privileges (i.e., NOINHERIT), does it make sense that role_a should match
> +role_b in pg_hba.conf?  It is true that role_a could always "SET ROLE
> role_b", and with this change, the user won't even have the ability to log
> in to run SET ROLE.  But I'm not sure if that's a strong enough argument
> for deviating from the standard role privilege checks.
>
> Thoughts?
>

Good catch, I think this is a logical followup to the previous
has_privs_of_role patch.

Reviewed and +1



Commits

  1. Add TAP tests for role membership in pg_hba.conf