Re: role self-revocation

David G. Johnston <david.g.johnston@gmail.com>

From: "David G. Johnston" <david.g.johnston@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Mark Dilger <mark.dilger@enterprisedb.com>, Robert Haas <robertmhaas@gmail.com>, Stephen Frost <sfrost@snowman.net>, Joshua Brindle <joshua.brindle@crunchydata.com>, Andrew Dunstan <andrew@dunslane.net>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2022-03-07T21:34:20Z
Lists: pgsql-hackers
On Mon, Mar 7, 2022 at 1:16 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:

> Based on Robert's archaeological dig, it now seems that the fact that
> we have any such behavior at all was just a mistake.  What would be
> lost if we drop it?
>

Probably nothing that couldn't be replaced, and with a better model, but I
do have a concern that there are setups in the wild inadvertently using
this behavior.  Enough so that I would vote to change it but include a
migration GUC to restore the current behavior, probably with a deprecation
warning.  Kinda depends on the post-change dump/restore mechanics.  But
just tearing it out wouldn't seem extraordinary for us.


>
> Having said that, one thing that I find fishy is that it's not clear
> where the admin privilege for a role originates.


I do not see a problem with there being no inherent admin privilege for a
role.  A superuser or CREATEROLE user holds admin privilege on all roles in
the cluster.  They can delegate the privilege to administer a role to yet
another role in the system.  The necessitates creating two roles - the one
being administered and the one being delegated to.  I don't see a benefit
to saving which specific superuser or CREATEROLE user "owns" the role that
is to be administered.  Not unless non-owner CREATEROLE users are prevented
from exercising admin privileges on the role.  That all said, I'd accept
the choice to include such ownership information as a requirement for
meeting the auditing needs of DBAs.  But I would argue that such auditing
probably needs to be external to the working system - the fact that
ownership can be changed reduces the benefit of an in-database value.

> If we recorded

which user created the role, we could act as though that user has
> admin privilege (whether or not it's a member).


I suppose we could record the current owner of a role but that seems
unnecessary.  I dislike using the "created" concept by virtue of the fact
that, for routines, "security definer" implies creator but it actually
means "security owner".

David J.

Commits

  1. Make role grant system more consistent with other privileges.

  2. Ensure that pg_auth_members.grantor is always valid.

  3. Remove the ability of a role to administer itself.

  4. Add tests of the CREATEROLE attribute

  5. Replace explicit PIN entries in pg_depend with an OID range test.

  6. Shore up ADMIN OPTION restrictions.

  7. Add pg_has_role() family of privilege inquiry functions modeled after the

  8. Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion