From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
---|---|
To: | Dominique Devienne <ddevienne(at)gmail(dot)com>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
Subject: | Re: New SET privilege for pg_has_role() in v16+ |
Date: | 2024-01-02 16:40:21 |
Message-ID: | cb7cfc57-6afa-4175-a4d4-6e26e42ab015@aklaver.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On 1/2/24 08:21, Dominique Devienne wrote:
> On Tue, Jan 2, 2024 at 5:11 PM David G. Johnston
> <david(dot)g(dot)johnston(at)gmail(dot)com <mailto:david(dot)g(dot)johnston(at)gmail(dot)com>> wrote:
>
> On Tue, Jan 2, 2024 at 8:25 AM Dominique Devienne
> <ddevienne(at)gmail(dot)com <mailto:ddevienne(at)gmail(dot)com>> wrote:
>
> pg_has_role() from
> https://www.postgresql.org/docs/current/functions-info.html
> <https://www.postgresql.org/docs/current/functions-info.html>
> added the 'SET' privilege in v16, and on top of the existing
> 'MEMBER' and 'USAGE' ones:
>
> Membership no longer does anything by itself.
>
>
> OK! That's news to me, I must go back to the v16 (?) release notes and
> learn more about this.
>
> Both inherit and set capabilities are now individually controlled
> permissions related to membership.
>
>
> Hmmm, what drove this change? (I guess I'm getting back to the rationale
> from earlier).
> The previous model was not granular enough?
> And the new one is as granular as it gets?
>
> It is indeed possible, but not useful, to grant membership but then
> disallow both set and inherit permissions.
>
>
> OK. Yet another thing I'll need to study.
>
> As I wrote earlier, we use ROLEs extensively, some INHERIT and others
> NOT INHERIT,
> to map an existing C/C++ enforce security model in mid-tier services, to
> a ROLE/GRANT-based
> one enforced by PostgreSQL itself, thus understanding why these changes
> were made in v16 matters to me a lot.
If you want the rationale see:
https://rhaas.blogspot.com/2023/01/surviving-without-superuser-coming-to.html
>
> Thanks, --DD
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
From | Date | Subject | |
---|---|---|---|
Next Message | Adrian Klaver | 2024-01-02 16:42:56 | Re: New SET privilege for pg_has_role() in v16+ |
Previous Message | David G. Johnston | 2024-01-02 16:33:10 | Re: New SET privilege for pg_has_role() in v16+ |