Thread
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Allow choosing specific grantors via GRANT/REVOKE ... GRANTED BY.
- dd1398f13787 19 (unreleased) landed
-
Re: Re: Revoke Connect Privilege from Database not working
David G. Johnston <david.g.johnston@gmail.com> — 2025-04-07T13:42:28Z
On Monday, April 7, 2025, Ing. Marijo Kristo <marijo.kristo@icloud.com> wrote: > > > Seems like a bug to me. > Can someone else verifiy this ? > It would help greatly if you create a reproducer that starts from a clean install, creates the roles and database, and demonstrates the issue. > postgres=# \du vault_admin; > List of roles > Role name | Attributes > -------------+------------------------ > vault_admin | Superuser, Create role > > postgres=# set role vault_admin; > You are setting role to another role that has superuser which is basically pointless. Use “granted by” in your revoke command. If that works this isn’t a bug. David J.
-
Aw: Re: Re: Revoke Connect Privilege from Database not working
Ing. Marijo Kristo <marijo.kristo@icloud.com> — 2025-04-07T14:27:41Z
Hi, here is a full reproducer. Also revoking with the granted by clause does not work. #clean initialization postgres=# create database testdb owner postgres; CREATE DATABASE postgres=# create user test_admin createrole; CREATE ROLE postgres=# alter user test_admin with password 'test1234'; ALTER ROLE postgres=# grant connect on database testdb to test_admin with grant option; GRANT #create user and grant connect privilege with test_admin postgres=# set role test_admin; SET postgres=> create user test_user password 'testuserpw'; CREATE ROLE postgres=> grant connect on database testdb to test_user; GRANT #generate the failure by granting test_admin superuser privileges postgres=> reset role; RESET postgres=# alter user test_admin superuser; ALTER ROLE postgres=# set role test_admin; SET postgres=# revoke connect on database testdb from test_user; REVOKE postgres=# drop user test_user; ERROR: role "test_user" cannot be dropped because some objects depend on it DETAIL: privileges for database testdb #test also with "granted by clause" postgres=# revoke connect on database testdb from test_user granted by "test_admin"; REVOKE postgres=# drop user test_user; ERROR: role "test_user" cannot be dropped because some objects depend on it DETAIL: privileges for database testdb #fix by removing superuser privilege from test_admin postgres=# reset role; RESET postgres=# alter user test_admin nosuperuser; ALTER ROLE postgres=# set role test_admin; SET postgres=> revoke connect on database testdb from test_user; REVOKE postgres=> drop role test_user; DROP ROLE Best Regards Marijo Kristo David G. Johnston <david.g.johnston@gmail.com> schrieb am 7. Apr. 2025 um 15:42: On Monday, April 7, 2025, Ing. Marijo Kristo < marijo.kristo@icloud.com > wrote: Seems like a bug to me. Can someone else verifiy this ? It would help greatly if you create a reproducer that starts from a clean install, creates the roles and database, and demonstrates the issue. postgres=# \du vault_admin; List of roles Role name | Attributes -------------+---------------- -------- vault_admin | Superuser, Create role postgres=# set role vault_admin; You are setting role to another role that has superuser which is basically pointless. Use “granted by” in your revoke command. If that works this isn’t a bug. David J.
-
Re: Re: Re: Revoke Connect Privilege from Database not working
David G. Johnston <david.g.johnston@gmail.com> — 2025-04-07T15:37:43Z
On Mon, Apr 7, 2025 at 7:27 AM Ing. Marijo Kristo <marijo.kristo@icloud.com> wrote: > Hi, > here is a full reproducer. Also revoking with the granted by clause does > not work. > > #clean initialization > postgres=# create database testdb owner postgres; > CREATE DATABASE > postgres=# create user test_admin createrole; > CREATE ROLE > postgres=# alter user test_admin with password 'test1234'; > ALTER ROLE > postgres=# grant connect on database testdb to test_admin with grant > option; > GRANT > > #create user and grant connect privilege with test_admin > postgres=# set role test_admin; > SET > postgres=> create user test_user password 'testuserpw'; > CREATE ROLE > postgres=> grant connect on database testdb to test_user; > GRANT > > #generate the failure by granting test_admin superuser privileges > postgres=> reset role; > RESET > postgres=# alter user test_admin superuser; > ALTER ROLE > postgres=# set role test_admin; > SET > postgres=# revoke connect on database testdb from test_user; > REVOKE > postgres=# drop user test_user; > ERROR: role "test_user" cannot be dropped because some objects depend on > it > DETAIL: privileges for database testdb > > #test also with "granted by clause" > postgres=# revoke connect on database testdb from test_user granted by > "test_admin"; > REVOKE > On master, confirmed that after this command the privilege: test_user=c/test_admin (on database testdb) still exists. That seems like a bug. Its at least a POLA violation and I cannot figure out how to read the revoke reference page in a way that explains it. David J. # revokescript.psql create database testdb:v; create user test_admin:v createrole; grant connect on database testdb:v to test_admin:v with grant option; set role test_admin:v; create user test_user:v password 'testuserpw'; grant connect on database testdb:v to test_user:v; reset role; alter user test_admin:v superuser; set role test_admin:v; revoke connect on database testdb:v from test_user:v granted by test_admin:v; \l+ testdb:v drop user test_user:v; > psql postgres --file revokescript.psql -v v=1
-
Re: Re: Re: Revoke Connect Privilege from Database not working
Tom Lane <tgl@sss.pgh.pa.us> — 2025-04-07T16:06:17Z
"David G. Johnston" <david.g.johnston@gmail.com> writes: > On master, confirmed that after this command the privilege: > test_user=c/test_admin (on database testdb) still exists. That seems like > a bug. Its at least a POLA violation and I cannot figure out how to read > the revoke reference page in a way that explains it. I believe what's going on there is explained by the rule that "grants and revokes done by a superuser are done as if issued by the object owner". So here, what would be revoked is test_user=c/postgres, which isn't the privilege at issue. Include GRANTED BY in the REVOKE to override the default choice of grantor. IIRC, said rule was invented before we had the GRANTED BY syntax. It probably doesn't make as much sense today, but I'd be very afraid of breaking peoples' work flows by changing it. regards, tom lane
-
Re: Re: Re: Revoke Connect Privilege from Database not working
David G. Johnston <david.g.johnston@gmail.com> — 2025-04-07T16:22:45Z
On Mon, Apr 7, 2025 at 9:06 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: > "David G. Johnston" <david.g.johnston@gmail.com> writes: > > On master, confirmed that after this command the privilege: > > test_user=c/test_admin (on database testdb) still exists. That seems > like > > a bug. Its at least a POLA violation and I cannot figure out how to read > > the revoke reference page in a way that explains it. > > I believe what's going on there is explained by the rule that > "grants and revokes done by a superuser are done as if issued > by the object owner". So here, what would be revoked is > test_user=c/postgres, which isn't the privilege at issue. > Include GRANTED BY in the REVOKE to override the default > choice of grantor. > The command in question did include "granted by" which is why this is a bug. The explicit granted by specification is being ignored if the invoking user is a superuser. revoke connect on database testdb:v from test_user:v --------------- granted by test_admin:v; ---^^^^^^^^^ So if we stick with status quo behavior we'd need to write the following because the ignoring part is a POLA violation: If a superuser chooses to issue a GRANT or REVOKE command, the command is performed as though it were issued by the owner of the affected object, and the granted by clause is ignored. David J.
-
Re: Re: Re: Revoke Connect Privilege from Database not working
Nathan Bossart <nathandbossart@gmail.com> — 2025-11-13T16:47:14Z
On Mon, Apr 07, 2025 at 09:22:45AM -0700, David G. Johnston wrote: > On Mon, Apr 7, 2025 at 9:06 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: >> I believe what's going on there is explained by the rule that >> "grants and revokes done by a superuser are done as if issued >> by the object owner". So here, what would be revoked is >> test_user=c/postgres, which isn't the privilege at issue. >> Include GRANTED BY in the REVOKE to override the default >> choice of grantor. > > The command in question did include "granted by" which is why this is a > bug. The explicit granted by specification is being ignored if the > invoking user is a superuser. This is admittedly a half-formed idea, but perhaps we could have whatever's specified in GRANTED BY override select_best_grantor(), like in the attached patch. I've no idea if this is the intention of the standard, but it should at least address the reported issue. FWIW I recently received an independent report about the same thing. -- nathan