Re: SET ROLE documentation improvement
Shubham Khanna <khannashubham1197@gmail.com>
From: Shubham Khanna <khannashubham1197@gmail.com>
To: Nathan Bossart <nathandbossart@gmail.com>
Cc: Yurii Rashkovskii <yrashk@gmail.com>, pgsql-hackers@lists.postgresql.org
Date: 2023-12-05T05:20:40Z
Lists: pgsql-hackers
On Fri, Nov 10, 2023 at 11:11 PM Nathan Bossart <nathandbossart@gmail.com> wrote: > > On Tue, Sep 26, 2023 at 08:33:25AM -0700, Yurii Rashkovskii wrote: > > This is a good start, indeed. I've amended my patch to include it. > > Thanks for the new patch. > > Looking again, I'm kind of hesitant to add too much qualification to this > note about losing superuser privileges. If we changed it to > > Note that when a superuser chooses to SET ROLE to a non-superuser role, > they lose their superuser privileges, except for the privilege to > change to another role again using SET ROLE or RESET ROLE. > > it almost seems to imply that a non-superuser role could obtain the ability > to switch to any role if they first SET ROLE to a superuser. In practice, > that's true because they could just give the session role SUPERUSER, but I > don't think that's the intent of this section. > > I thought about changing it to something like > > Note that when a superuser chooses to SET ROLE to a non-superuser role, > they lose their superuser privileges. However, if the current session > user is a superuser, they retain the ability to set the current user > identifier to any role via SET ROLE and RESET ROLE. > > but it seemed weird to me to single out superusers here when it's always > true that the current session user retains the ability to SET ROLE to any > role they have the SET option on. That is already covered above in the > "Description" section, so I don't really see the need to belabor the point > by adding qualifications to the "Notes" section. ISTM the point of these > couple of paragraphs in the "Notes" section is to explain the effects on > privileges for schemas, tables, etc. > > I still think we should update the existing note about privileges for > SET/RESET ROLE to something like the following: > > diff --git a/doc/src/sgml/ref/set_role.sgml b/doc/src/sgml/ref/set_role.sgml > index 13bad1bf66..c91a95f5af 100644 > --- a/doc/src/sgml/ref/set_role.sgml > +++ b/doc/src/sgml/ref/set_role.sgml > @@ -41,8 +41,10 @@ RESET ROLE > </para> > > <para> > - The specified <replaceable class="parameter">role_name</replaceable> > - must be a role that the current session user is a member of. > + The current session user must have the <literal>SET</option> for the > + specified <replaceable class="parameter">role_name</replaceable>, either > + directly or indirectly via a chain of memberships with the > + <literal>SET</literal> option. > (If the session user is a superuser, any role can be selected.) > </para> > > -- > I have Reviewed the patch. Patch applies neatly without any issues. Documentation build was successful and there was no Spell-check issue also. I did not find any issues. The patch looks good to me. > >Thanks and Regards, >Shubham Khanna.
Commits
-
doc: Note exceptions for SET ROLE's effect on privilege checks.
- 953cf49e166a 17.0 landed
-
doc: Clarify requirements for SET ROLE.
- d82dc79ba03c 16.3 landed
- 3330a8d1b792 17.0 landed