| From: | Isaac Morland <isaac(dot)morland(at)gmail(dot)com> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com>, Noah Misch <noah(at)leadboat(dot)com>, Jacob Champion <pchampion(at)vmware(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "chap(at)anastigmatix(dot)net" <chap(at)anastigmatix(dot)net>, torikoshia <torikoshia(at)oss(dot)nttdata(dot)com> |
| Subject: | Re: Delegating superuser tasks to new security roles (Was: Granting control of SUSET gucs to non-superusers) |
| Date: | 2021-07-27 14:23:54 |
| Message-ID: | CAMsGm5cnTQrNYPAZBLTGKt0LtKpmwGoxuNu8tm4u14d-dXjYAg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, 27 Jul 2021 at 10:19, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> I think this has potential. In a managed services environment, you can
> imagine the provider as the super-duper user, having the ability to do
> anything - because they control the box, so there's really no stopping
> it - but presumably very little interest in what happens within the
> database. Then you have the tenant, who is a semi-super-user,
> authorized by the provider to do anything internal to the database
> that the provider doesn't think will cause them problems. With the
> setup you're proposing here, I suppose what the provider needs to do
> is have a role like 'tenant' and make all the other tenant role
> members of that master role. Then the tenant can log in as 'tenant' as
> set up event triggers that will apply to all of those users, but
> there's no security compromise for the provider because the role (or
> roles) that they use to log in are not members of 'tenant'.
>
Isn’t this backwards? If all those roles are members of "tenant" then they
can do anything "tenant" can do. The reverse might work - make "tenant" a
member of all the related roles - although I haven’t thought through in
detail.
The comparison is to making all roles members of "postgres" (disaster) vs.
making "postgres" a member of all roles (redundant, because of how
permissions work for superuser, but harmless).
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2021-07-27 14:29:32 | Re: pg_settings.pending_restart not set when line removed |
| Previous Message | Robert Haas | 2021-07-27 14:19:15 | Re: Delegating superuser tasks to new security roles (Was: Granting control of SUSET gucs to non-superusers) |