Re: Can a role have indirect ADMIN OPTION on another role?

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com>
Cc: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Can a role have indirect ADMIN OPTION on another role?
Date: 2023-09-06 15:33:23
Message-ID: CA+TgmoYy8gQnwncPAFbB=DYD2Msp2WoahNr6KkygVGWqk-OQhw@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, Sep 6, 2023 at 11:14 AM Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com> wrote:
> In PG-16, I see that we have made a lot of changes in the area roles
> and privileges. I have a question related to this and here is my
> question:
>
> Let's say there is a roleA who creates roleB and then roleB creates
> another role, say roleC. By design, A can administer B and B can
> administer C. But, can A administer C although it has not created C?

Ultimately, yes, because A can get access to all of B's privileges,
which include administering C. However, A might or might not have B's
privileges by default, depending on the value of createrole_self_grant
in effect at the time when B was created. So, depending on the
situation, A might (or might not) need to do something like GRANT
roleB to roleA or SET ROLE roleB in order to be able to actually
execute the administration commands in question.

IMHO, it really couldn't reasonably work in any other way. Consider
that A's right to administer B includes the right to change B's
password. If the superuser wants users A and B that can't interfere
with each other, the superuser should create both of those accounts
themselves instead of letting one create the other.

--
Robert Haas
EDB: http://www.enterprisedb.com

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Geoghegan 2023-09-06 16:20:23 Re: Eager page freeze criteria clarification
Previous Message Alvaro Herrera 2023-09-06 15:01:06 Re: remaining sql/json patches