Re: Delegating superuser tasks to new security roles (Was: Granting control of SUSET gucs to non-superusers)

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Jeff Davis <pgsql(at)j-davis(dot)com>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Jacob Champion <pchampion(at)vmware(dot)com>, Noah Misch <noah(at)leadboat(dot)com>, "chap(at)anastigmatix(dot)net" <chap(at)anastigmatix(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "tgl(at)sss(dot)pgh(dot)pa(dot)us" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, torikoshia <torikoshia(at)oss(dot)nttdata(dot)com>
Subject: Re: Delegating superuser tasks to new security roles (Was: Granting control of SUSET gucs to non-superusers)
Date: 2021-10-20 20:23:32
Message-ID: CA+TgmoaGX2vDZ_dqTyx6aE22=8YeMUxYTvVSMNxRZ-=hHsFc-g@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, Oct 20, 2021 at 1:20 PM Jeff Davis <pgsql(at)j-davis(dot)com> wrote:
> A downside is that with my suggestion, event triggers would still be
> for the highly-privileged roles only. Allowing unprivileged users to
> create event triggers that have limited scope might allow some really
> interesting use cases. There might be some options here, like allowing
> any user to create an event trigger that only affects that user.

I think that's basically giving up the important part of this idea,
which is to allow meaningful administration without superuser
privileges. "highly-privileged roles only" sounds like in practice it
would amount to the superuser or someone who can become the superuser
-- and thus probably wouldn't include the "master tenant" role in a
service provider environment.

I don't really see what the problem is with Tom's proposal[1,2], or
why the role self-administration thread is necessarily a blocker. It's
true that if X creates an event trigger and it fires for Y because X
can become Y, then Y might be able to revoke membership in Y from X
and thus circumvent the event trigger firing. But that is a severable
problem. We can fail to solve that problem and still be better off
than today, because at least with the proposed change a cooperating
group of users (or one whose ability to execute GRANT and REVOKE is
restricted by some other means) can benefit from event triggers
without any of them being superuser. If we make this change *and also*
resolve the role self-administration problem, then it can also work in
cases where a more privileged user needs to enforce event trigger
firing against a less-privileged user.

--
Robert Haas
EDB: http://www.enterprisedb.com

[1] http://postgr.es/m/214052.1627331086@sss.pgh.pa.us
[2] http://postgr.es/m/216038.1627333077@sss.pgh.pa.us

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2021-10-20 20:36:06 Re: Delegating superuser tasks to new security roles (Was: Granting control of SUSET gucs to non-superusers)
Previous Message Mark Dilger 2021-10-20 20:14:10 Re: Non-superuser event trigger owners