| From: | Erik Wienhold <ewie(at)ewie(dot)name> |
|---|---|
| To: | Dominique Devienne <ddevienne(at)gmail(dot)com>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: DEFINER / INVOKER conundrum |
| Date: | 2023-04-03 14:55:19 |
| Message-ID: | 478369375.553946.1680533719442@office.mailbox.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> On 03/04/2023 13:18 CEST Dominique Devienne <ddevienne(at)gmail(dot)com> wrote:
>
> My goal is to have clients connect to PostgreSQL,
> and call a function that return a JWT token.
>
> The JWT is supposed to capture the user (login role),
> and the current_role (which has meaning in our app),
> and sign it using a secret corresponding to a mid-tier
> service the client will connect to later.
>
> I've found https://github.com/michelp/pgjwt which seems
> perfect for my use case, but I'm struggling with something.
>
> On the one hand, I want a INVOKER security function,
> to be able to capture the login and current ROLEs.
>
> On the other hand, I want a DEFINER security function,
> to be able to access the secret to sign the JWT with.
>
> That secret will be in a table that regular users of our DB
> do NOT have access to, of course. But that the function
> doing the JWT signing does need access to, of course (again).
>
> I thought I'd have two layers of functions, one INVOKER
> that captures the ROLEs, which then calls the DEFINER one,
> passing the ROLEs captured, but since the INVOKER function
> must also be able to call the DEFINER function, what prevents
> the client from calling it directly, with different (spoofed) ROLEs?
>
> Is there a way out of that conundrum?
A single DEFINER function works if you capture current_user with a parameter
and default value. Let's call it claimed_role. Use pg_has_role[0] to check
that session_user has the privilege for claimed_role (in case the function is
called with an explicit value), otherwise raise an exception.
Connect as postgres:
CREATE FUNCTION f(claimed_role text default current_user)
RETURNS TABLE (claimed_role text, curr_user text, sess_user text)
SECURITY DEFINER
LANGUAGE sql
$$ SELECT claimed_role, current_user, session_user $$;
Connect as alice:
SELECT * FROM f();
claimed_role | curr_user | sess_user
--------------+-----------+-----------
alice | postgres | alice
(1 row)
[0] https://www.postgresql.org/docs/current/functions-info.html#FUNCTIONS-INFO-ACCESS-TABLE
--
Erik
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Erik Wienhold | 2023-04-03 15:11:17 | Re: jsonb @@ jsonpath operator doc: Only the first item of the result is taken into account |
| Previous Message | Phil Florent | 2023-04-03 13:25:21 | RE: Support logical replication of DDLs |