Re: pg_auth_members.grantor is bunk
David G. Johnston <david.g.johnston@gmail.com>
From: "David G. Johnston" <david.g.johnston@gmail.com>
To: Stephen Frost <sfrost@snowman.net>
Cc: Robert Haas <robertmhaas@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>, Mark Dilger <mark.dilger@enterprisedb.com>,
Andrew Dunstan <andrew@dunslane.net>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2022-07-31T18:43:48Z
Lists: pgsql-hackers
On Sun, Jul 31, 2022 at 11:18 AM Stephen Frost <sfrost@snowman.net> wrote: > Greetings, > > * Robert Haas (robertmhaas@gmail.com) wrote: > > On Tue, Jul 26, 2022 at 12:46 PM Robert Haas <robertmhaas@gmail.com> > wrote: > > + } > + > + /* > + * Disallow attempts to grant ADMIN OPTION back to a user who > granted it > + * to you, similar to what check_circularity does for ACLs. We > want the > + * chains of grants to remain acyclic, so that it's always > possible to use > + * REVOKE .. CASCADE to clean up all grants that depend on the one > being > + * revoked. > + * > + * NB: This check might look redundant with the check for > membership > + * loops above, but it isn't. That's checking for role-member loop > (e.g. > + * A is a member of B and B is a member of A) while this is > checking for > + * a member-grantor loop (e.g. A gave ADMIN OPTION to X to B and > now B, who > + * has no other source of ADMIN OPTION on X, tries to give ADMIN > OPTION > + * on X back to A). > + */ > > With this exact scenario, wouldn't it just be a no-op as A must have > ADMIN OPTION already on X? The spec says that no cycles of role > authorizations are allowed. Role A must have admin option for X to grant membership in X (with or without admin option) to B. But that doesn't preclude A from getting another admin option from someone else. That someone else cannot be someone to whom they gave admin option to however. So B cannot grant admin option back to A but role P could if it was basically a sibling of A (i.e., both getting their initial admin option from someone else). If they do have admin option twice it should be possible to drop one of them, the prohibition should be on dropping the only admin option permission a role has for some other role. The commit message for 2 contemplates this though I haven't gone through the revocation code in detail. > I'm trying to get this review out sooner than later and so I might be > missing something, but looking at the regression test for this and these > error messages, feels like the 'circular' error message makes more sense > than the 'your own grantor' message that actually ends up being > returned in that regression test. > Having a more specific error seems reasonable, faster to track down what the problem is. I think that the whole graph dynamic of this might need some presentation work (messages and/or psql and/or functions) ; but assuming the errors are handled improved messages and/or presentation of graphs can be a separate enhancement. David J.
Commits
-
Make role grant system more consistent with other privileges.
- ce6b672e4455 16.0 landed
-
Ensure that pg_auth_members.grantor is always valid.
- 6566133c5f52 16.0 landed
-
Remove the ability of a role to administer itself.
- 79de9842ab03 15.0 landed
-
Add tests of the CREATEROLE attribute
- e9d4001ec592 15.0 landed
-
Replace explicit PIN entries in pg_depend with an OID range test.
- a49d08123599 15.0 cited
-
Shore up ADMIN OPTION restrictions.
- fea164a72a7b 9.4.0 cited
-
Add pg_has_role() family of privilege inquiry functions modeled after the
- f9fd1764615e 8.1.0 cited
-
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion
- 4b2dafcc0b1a 8.0.0 cited