From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
Cc: | tushar <tushar(dot)ahuja(at)enterprisedb(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Bossart, Nathan" <bossartn(at)amazon(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: replacing role-level NOINHERIT with a grant-level option |
Date: | 2022-08-29 19:38:57 |
Message-ID: | CA+TgmoZSU1h6hU4u_T_fMbefEaKWyaWjreubuyGeR057dPnLkg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Aug 29, 2022 at 10:17 AM Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> Good catch. Thanks for the review. Committed with that correction.
Argh, I found a bug, and one that I should have caught during testing,
too. I modelled the new function select_best_grantor() on
is_admin_of_role(), but it differs in that it calls
roles_is_member_of() with ROLERECURSE_PRIVS rather than
ROLECURSE_MEMBERS. Sadly, roles_is_member_of() handles
ROLERECURSE_PRIVS by completely ignoring non-inherited grants, which
is wrong, because then calls to select_best_grantor() treat a member
of a role with INHERIT FALSE, ADMIN TRUE is if they were not an admin
at all, which is incorrect.
Here is a patch to rearrange the logic slightly and also add a test
case memorializing the intended behavior. Without this change, the
regression test included in the patch fails like this:
ERROR: no possible grantors
...which is never supposed to happen.
--
Robert Haas
EDB: http://www.enterprisedb.com
Attachment | Content-Type | Size |
---|---|---|
v1-0001-Fix-a-bug-in-roles_is_member_of.patch | application/octet-stream | 5.1 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2022-08-29 19:43:55 | Postmaster self-deadlock due to PLT linkage resolution |
Previous Message | Jeff Davis | 2022-08-29 18:47:16 | Re: New strategies for freezing, advancing relfrozenxid early |