Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vNba6-008FCq-35
	for pgsql-general@arkaria.postgresql.org;
	Mon, 24 Nov 2025 18:46:34 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vNba5-0034Vq-1p
	for pgsql-general@arkaria.postgresql.org;
	Mon, 24 Nov 2025 18:46:33 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1vNbXH-0030Qv-1v
	for pgsql-general@lists.postgresql.org;
	Mon, 24 Nov 2025 18:43:39 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1vNbXG-001HDt-04
	for pgsql-general@lists.postgresql.org;
	Mon, 24 Nov 2025 18:43:39 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 5AOIhVUF981856;
	Mon, 24 Nov 2025 13:43:32 -0500
From: Tom Lane <tgl@sss.pgh.pa.us>
To: =?utf-8?Q?=C3=81lvaro?= Herrera <alvherre@kurilemu.de>
cc: Laurenz Albe <laurenz.albe@cybertec.at>,
        Calvin Guo <newoakllc2023@gmail.com>,
        pgsql-general@lists.postgresql.org
Subject: Re: set role command
In-reply-to: <202511241648.tw7dx3ga7rxk@alvherre.pgsql>
References: <202511241648.tw7dx3ga7rxk@alvherre.pgsql>
Comments: In-reply-to =?utf-8?Q?=C3=81lvaro?= Herrera <alvherre@kurilemu.de>
	message dated "Mon, 24 Nov 2025 18:05:50 +0100"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <981854.1764009811.1@sss.pgh.pa.us>
Date: Mon, 24 Nov 2025 13:43:31 -0500
Message-ID: <981855.1764009811@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/981855.1764009811%40sss.pgh.pa.us>
Precedence: bulk

=?utf-8?Q?=C3=81lvaro?= Herrera <alvherre@kurilemu.de> writes:
> For what it's worth, I think we break the SQL standard's security model
> by providing RESET ROLE and RESET SESSION AUTHORIZATION, neither of
> which the standard has.

I don't think so.  They are just shorthand for issuing a SET to the
original value, so how do they break the model in a way that that
doesn't?

> This means that in the standard model you have
> commands to lower your privilege, but once you've lowered them, you
> cannot return (in the same connection) to what you had.

The reason PG acts as it does is that we interpret "the permissions
required to do SET SESSION AUTHORIZATION" as "did your originally
authenticated ID have permission to do that SET?".  Since those
permissions are implementation-defined, I don't think it's possible
to argue that our choice breaks standards compliance.  You can argue
that it's a bad idea, but it's a bit late to change it now.

In practical terms, the one-way changes that Calvin wants are just not
that attractive.  What people have actually asked for, particularly
connection-pooler authors, are a way to switch session authorization
in such a way that you can only go back with some additional secret
sauce, like a one-time password generated at the pooler level.
That'd allow sharing the same connection across different user IDs,
which isn't safe today.

			regards, tom lane