Re: Backward compat issue with v16 around ROLEs

From: Pavel Luzanov <p(dot)luzanov(at)postgrespro(dot)ru>
To: Robert Haas <robertmhaas(at)gmail(dot)com>, Dominique Devienne <ddevienne(at)gmail(dot)com>
Cc: "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, Wolfgang Walther <walther(at)technowledgy(dot)de>, pgsql-general(at)lists(dot)postgresql(dot)org
Subject: Re: Backward compat issue with v16 around ROLEs
Date: 2024-09-12 22:03:53
Message-ID: ddd690b8-4273-418a-b8c7-0b95bd5b7203@postgrespro.ru
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 13.09.2024 00:11, Robert Haas wrote:

> The prohibition against circular grants is really annoying in your use
> case. If dd_owner creates dd_user, then dd_user is granted to
> dd_owner, which means that dd_owner cannot be granted (directly or
> indirectly) to dd_user.

In search of workaround...

So, now in v16 we need a third role to made this grants.
There is a not very nice way to use the third role implicitly,
through security definer stored routines.

-- run by superuser
create role dd_owner createrole;
CREATE ROLE

create role dd_admin noinherit;
CREATE ROLE

grant dd_owner to dd_admin;
GRANT ROLE

create procedure create_role (role text, member regrole)
language plpgsql security definer as $$
begin
execute (format('create role %I in role %I', role, member));
end;
$$;
CREATE PROCEDURE

revoke execute on procedure create_role from public;
REVOKE

grant execute on procedure create_role to dd_owner;
GRANT

set role dd_owner;
SET

call create_role('dd_user', 'dd_admin');
CALL

\du dd*
List of roles
Role name | Attributes
-----------+------------------------------
dd_admin | No inheritance, Cannot login
dd_owner | Create role, Cannot login
dd_user | Cannot login

\drg
List of role grants
Role name | Member of | Options | Grantor
-----------+-----------+--------------+----------
dd_admin | dd_owner | SET | postgres
dd_user | dd_admin | INHERIT, SET | postgres
(2 rows)

Ido notknowhowapplicablethisis for Dominique.Perhapsabettersolution is to review andmakechangesto roles&grants systemby explicitlyintroducingand using a thirdrole.

--
Pavel Luzanov
Postgres Professional:https://postgrespro.com

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Rich Shepard 2024-09-12 23:01:30 DDL issue
Previous Message Thomas Munro 2024-09-12 22:01:53 Re: Error:could not extend file " with FileFallocate(): No space left on device