From: | Pavel Luzanov <p(dot)luzanov(at)postgrespro(dot)ru> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
Subject: | Re: multiple membership grants and information_schema.applicable_roles |
Date: | 2023-07-24 06:42:10 |
Message-ID: | 76a1efd1-5753-223a-602a-b71714490f98@postgrespro.ru |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 23.07.2023 23:03, Tom Lane wrote:
> CREATE RECURSIVE VIEW APPLICABLE_ROLES ( GRANTEE, ROLE_NAME, IS_GRANTABLE ) AS
> ( ( SELECT GRANTEE, ROLE_NAME, IS_GRANTABLE
> FROM DEFINITION_SCHEMA.ROLE_AUTHORIZATION_DESCRIPTORS
> WHERE ( GRANTEE IN
> ( CURRENT_USER, 'PUBLIC' )
> OR
> GRANTEE IN
> ( SELECT ROLE_NAME
> FROM ENABLED_ROLES ) ) )
> UNION
> ( SELECT RAD.GRANTEE, RAD.ROLE_NAME, RAD.IS_GRANTABLE
> FROM DEFINITION_SCHEMA.ROLE_AUTHORIZATION_DESCRIPTORS RAD
> JOIN
> APPLICABLE_ROLES R
> ON
> RAD.GRANTEE = R.ROLE_NAME ) );
>
> The UNION would remove rows only when they are duplicates across all
> three columns.
Hm, I think there is one more thing to check in the SQL standard.
Is IS_GRANTABLE a key column for ROLE_AUTHORIZATION_DESCRIPTORS?
If not, duplicates is not possible. Right?
Can't check now, since I don't have access to the SQL standard definition.
> I do see what seems like a different issue: the standard appears to expect
> that indirect role grants should also be shown (via the recursive CTE),
> and we are not doing that.
I noticed this, but the view stays unchanged so long time.
I thought it was done intentionally.
--
Pavel Luzanov
Postgres Professional: https://postgrespro.com
From | Date | Subject | |
---|---|---|---|
Next Message | Masahiro Ikeda | 2023-07-24 07:26:45 | Re: Support worker_spi to execute the function dynamically. |
Previous Message | Amit Kapila | 2023-07-24 06:31:20 | Re: logical decoding and replication of sequences, take 2 |