Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sQvpX-00CO3s-Sb for pgsql-general@arkaria.postgresql.org; Mon, 08 Jul 2024 21:23:29 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sQvpW-009bbY-Jj for pgsql-general@arkaria.postgresql.org; Mon, 08 Jul 2024 21:23:26 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sQvpW-009bbQ-4W for pgsql-general@lists.postgresql.org; Mon, 08 Jul 2024 21:23:26 +0000 Received: from mail.postgrespro.ru ([93.174.131.139]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sQvpT-0016yQ-BV for pgsql-general@postgresql.org; Mon, 08 Jul 2024 21:23:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=postgrespro.ru; s=mx2023; t=1720473800; bh=tmiaSFT1kxMqCN1opYun4od2lU9lhDjq53ncWukVnao=; h=Message-ID:Date:User-Agent:Subject:To:Cc:References:From: In-Reply-To:From; b=Bmy/XXpnrT70NnwixlO/vFwPcC5+kQrQXS05sr9fSrnVy8TDeLyw92UlvHzvfMULW EnZ8oulzqLKgScl4AAkvla/+eJQjuBeEjpqxkxmpjwuSe4gEokmNFecc5WxbDZW4UW WIVty3Vs9Vwz4un34KvqDnWK8xGZWPExEXsA2ImMT03nQjTBBlwlPPds+Bhl8t3Akz MhJV/Sgye/d1hJZr7//3Tokh7dDesCm6PyxpwQUQXM/f2mBgRuh+iZ747OB+xoS0pB 4oqQVTlY2mAkq3S7YYM2WcJRSYDpALLNSawbah41K252bbn6iRTUR72H3AX8DhRVdD dNINMQjrFNsVQ== Received: from [192.168.0.104] (unknown [62.217.185.30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: p.luzanov@postgrespro.ru) by mail.postgrespro.ru (Postfix/587) with ESMTPSA id 081946037B; Tue, 9 Jul 2024 00:23:20 +0300 (MSK) Content-Type: multipart/alternative; boundary="------------xCsc6DsU3Qh0aE2VamvgmYeb" Message-ID: <7e16d145-acea-4f30-b5da-4e283989a957@postgrespro.ru> Date: Tue, 9 Jul 2024 00:23:18 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: v16 roles, SET FALSE, INHERIT FALSE, ADMIN FALSE To: Tom Lane Cc: Christophe Pettus , pgsql-general References: <69A2A7BD-F8CA-4067-B229-B5F9FC6A884F@thebuild.com> <2e3e4ddb-52b5-49b2-b363-00e3f12a83a0@postgrespro.ru> <1214992.1720473388@sss.pgh.pa.us> Content-Language: en-US, ru-RU From: Pavel Luzanov In-Reply-To: <1214992.1720473388@sss.pgh.pa.us> X-KSMG-AntiPhishing: NotDetected, bases: 2024/07/08 20:46:00 X-KSMG-AntiSpam-Interceptor-Info: not scanned X-KSMG-AntiSpam-Status: not scanned, disabled by settings X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.0.7854, bases: 2024/07/08 19:07:00 #25919740 X-KSMG-AntiVirus-Status: NotDetected, skipped X-KSMG-LinksScanning: not scanned, disabled by settings X-KSMG-Message-Action: skipped X-KSMG-Rule-ID: 1 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk This is a multi-part message in MIME format. --------------xCsc6DsU3Qh0aE2VamvgmYeb Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 09.07.2024 00:16, Tom Lane wrote: > Pavel Luzanov writes: >> On 08.07.2024 22:22, Christophe Pettus wrote: >>> This is more curiosity than anything else. In the v16 role system, is there actually any reason to grant membership in a role to a different role, but with SET FALSE, INHERIT FALSE, and ADMIN FALSE? Does the role granted membership gain any ability it didn't have before in that case? >> Looks like there is one ability. >> Authentication in pg_hba.conf "USER" field via +role syntax. > Hmm, if that check doesn't require INHERIT TRUE I'd say it's > a bug. > > regards, tom lane My test scenario: postgres@demo(16.3)=# select * from pg_hba_file_rules ; rule_number | file_name | line_number | type | database | user_name | address | netmask | auth_method | options | error -------------+-------------------------------------+-------------+-------+----------+------------+---------+---------+-------------+---------+------- 1 | /etc/postgresql/16/main/pg_hba.conf | 118 | local | {all} | {postgres} | | | trust | | 2 | /etc/postgresql/16/main/pg_hba.conf | 121 | local | {all} | {+bob} | | | trust | | 3 | /etc/postgresql/16/main/pg_hba.conf | 122 | local | {all} | {alice} | | | reject | | (3 rows) postgres@demo(16.3)=# \drg List of role grants Role name | Member of | Options | Grantor -----------+-----------+---------+---------- alice | bob | | postgres (1 row) postgres@demo(16.3)=# \c - alice You are now connected to database "demo" as user "alice". alice@demo(16.3)=> -- Pavel Luzanov Postgres Professional:https://postgrespro.com --------------xCsc6DsU3Qh0aE2VamvgmYeb Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit On 09.07.2024 00:16, Tom Lane wrote:
Pavel Luzanov <p.luzanov@postgrespro.ru> writes:

On 08.07.2024 22:22, Christophe Pettus wrote:

This is more curiosity than anything else.  In the v16 role system, is there actually any reason to grant membership in a role to a different role, but with SET FALSE, INHERIT FALSE, and ADMIN FALSE?  Does the role granted membership gain any ability it didn't have before in that case?


      

        
Looks like there is one ability.
Authentication in pg_hba.conf "USER" field via +role syntax.


      

      
Hmm, if that check doesn't require INHERIT TRUE I'd say it's
a bug.

			regards, tom lane


    

    

    
My test scenario:

    
postgres@demo(16.3)=# select * from pg_hba_file_rules ;
 rule_number |              file_name              | line_number | type  | database | user_name  | address | netmask | auth_method | options | error 
-------------+-------------------------------------+-------------+-------+----------+------------+---------+---------+-------------+---------+-------
           1 | /etc/postgresql/16/main/pg_hba.conf |         118 | local | {all}    | {postgres} |         |         | trust       |         | 
           2 | /etc/postgresql/16/main/pg_hba.conf |         121 | local | {all}    | {+bob}     |         |         | trust       |         | 
           3 | /etc/postgresql/16/main/pg_hba.conf |         122 | local | {all}    | {alice}    |         |         | reject      |         | 
(3 rows)

postgres@demo(16.3)=# \drg
            List of role grants
 Role name | Member of | Options | Grantor  
-----------+-----------+---------+----------
 alice     | bob       |         | postgres
(1 row)

postgres@demo(16.3)=# \c - alice
You are now connected to database "demo" as user "alice".
alice@demo(16.3)=> 


    

    
-- 
Pavel Luzanov
Postgres Professional: https://postgrespro.com

  


--------------xCsc6DsU3Qh0aE2VamvgmYeb--