Re: Allow placeholders in ALTER ROLE w/o superuser

From: Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com>
To: nathandbossart(at)gmail(dot)com
Cc: steve(at)supabase(dot)io, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Allow placeholders in ALTER ROLE w/o superuser
Date: 2022-07-20 06:28:36
Message-ID: 20220720.152836.1442103646840823302.horikyota.ntt@gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

At Tue, 19 Jul 2022 09:53:39 -0700, Nathan Bossart <nathandbossart(at)gmail(dot)com> wrote in
> On Tue, Jul 19, 2022 at 12:55:14AM -0500, Steve Chavez wrote:
> > Taking your options into consideration, for me the correct behaviour should
> > be:
> >
> > - The ALTER ROLE placeholder should always be stored with a PGC_USERSET
> > GucContext. It's a placeholder anyway, so it should be the less restrictive
> > one. If the user wants to define it as PGC_SUSET or other this should be
> > done through a custom extension.
> > - When an extension claims the placeholder, we should check the
> > DefineCustomXXXVariable GucContext with PGC_USERSET. If there's a match,
> > then the value gets applied, otherwise WARN or ERR.
> > The role GUCs get applied at login time right? So at this point we can
> > WARN or ERR about the defined role GUCs.
> >
> > What do you think?
>
> Hm. I would expect ALTER ROLE to store the PGC_SUSET context when executed
> by a superuser or a role with privileges via pg_parameter_acl. Storing all
> placeholder GUC settings as PGC_USERSET would make things more restrictive
> than they are today. For example, it would no longer be possible to apply
> any ALTER ROLE settings from superusers for placeholders that later become
> custom GUCS.

Currently placehoders are always created PGC_USERSET, thus
non-superuser can set it. But if loaded module defines the custom
variable as PGC_SUSET, the value set by the user is refused then the
value from ALTER-ROLE-SET or otherwise the default value from
DefineCustom*Variable is used. If the module defines it as
PGC_USERSET, the last value is accepted.

If a placehoders were created PGC_SUSET, non-superusers cannot set it
on-session. But that behavior is not needed since loadable modules
reject PGC_USERSET values as above.

Returning to the topic, that operation can be allowed in PG15, having
being granted by superuser using the GRANT SET ON PARMETER command.

=# GRANT SET ON PARAMETER my.username TO r1;

r1=> ALTER ROLE r1 SET my.username = 'hoge_user_x';
<success>
r1=> \c
r1=> => show my.username;
my.username
-------------
hoge_user_x
(1 row)

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Paquier 2022-07-20 06:49:17 Re: Backup command and functions can cause assertion failure and segmentation fault
Previous Message tanghy.fnst@fujitsu.com 2022-07-20 06:21:36 RE: Memory leak fix in psql