From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: use has_privs_of_role() for pg_hba.conf |
Date: | 2022-10-07 11:59:08 |
Message-ID: | CA+TgmoZtn5Wg9eqAf-A+0rbqv68SSD6RSbcw01RiCdxg-akauA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, Apr 1, 2022 at 6:07 PM Nathan Bossart <nathandbossart(at)gmail(dot)com> wrote:
>
> 6198420 ensured that has_privs_of_role() is used for predefined roles,
> which means that the role inheritance hierarchy is checked instead of mere
> role membership. However, inheritance is still not respected for
> pg_hba.conf. Specifically, "samerole", "samegroup", and "+" still use
> is_member_of_role_nosuper().
>
> The attached patch introduces has_privs_of_role_nosuper() and uses it for
> the aforementioned pg_hba.conf functionality. I think this is desirable
> for consistency. If a role_a has membership in role_b but none of its
> privileges (i.e., NOINHERIT), does it make sense that role_a should match
> +role_b in pg_hba.conf? It is true that role_a could always "SET ROLE
> role_b", and with this change, the user won't even have the ability to log
> in to run SET ROLE. But I'm not sure if that's a strong enough argument
> for deviating from the standard role privilege checks.
I hadn't noticed this thread before.
I'm not sure whether this is properly considered a privilege check. It
could even be an anti-privilege, if the pg_hba.conf line in question
is maked "reject".
I'm not taking the position that what this patch does is wrong, but I
*am* taking the position that it's a judgement call what the correct
behavior is here.
--
Robert Haas
EDB: http://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Vik Fearing | 2022-10-07 12:02:52 | Re: future of serial and identity columns |
Previous Message | Önder Kalacı | 2022-10-07 11:54:00 | Re: [PATCH] Use indexes on the subscriber when REPLICA IDENTITY is full on the publisher |