Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1soihT-00DJcb-DT for pgsql-general@arkaria.postgresql.org; Thu, 12 Sep 2024 12:13:28 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1soihT-006VEq-1g for pgsql-general@arkaria.postgresql.org; Thu, 12 Sep 2024 12:13:27 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1soihS-006VES-MB for pgsql-general@lists.postgresql.org; Thu, 12 Sep 2024 12:13:26 +0000 Received: from mail-oo1-xc2f.google.com ([2607:f8b0:4864:20::c2f]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1soihP-000njA-Tw for pgsql-general@lists.postgresql.org; Thu, 12 Sep 2024 12:13:25 +0000 Received: by mail-oo1-xc2f.google.com with SMTP id 006d021491bc7-5e1b50fea4bso452162eaf.2 for ; Thu, 12 Sep 2024 05:13:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726143203; x=1726748003; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ZWdGXUp+cR0n231edD4OBwy/2PmO0jR0VBRkhBUDYjY=; b=UxbObTATCNHi7YTpFHFouorg1mDL4KrKtTG1/pgEhlxVFUoqzhNTm6I9Tf1/9LArzD wz+Vq6f2x7zbsiCNVml6ldPb7IQytzUZSylXyjvCdR1Y7xj2wKFsqRj11Qcn+yjtjH3G pwYVbxfb73zYUAx+LHywyaXlRK3rSB8OSaJ8mVygo+qDu1SG/uOdSUm6Ya/mx7gwzDqJ h0i5lRl4IP4c+870cMRVZb7DgqdykccblVnw/+JyMvE2IGPRudbX++eU6v3ORhzEyaqo 6YcsruKBzdECH7aTNEs26mZy/Z+Q/BUIrca6DPv4QnXcq4H4+HBUA1aslO9aUhf6N+i5 Nkzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726143203; x=1726748003; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZWdGXUp+cR0n231edD4OBwy/2PmO0jR0VBRkhBUDYjY=; b=hXqnz28GPhM7PBf4shbanw9u1UaSK14y85E7YoWzumI3mnQohR8lynNygh8O0mMn3o kPHNDLA5ZWeNFisXglhcHBbfnmgKKdR3DnU04nf4Hwh4Buu0kuo8I00npCrIc7ScQyj9 lOIEB8hmV/zKdo3Sf7xkXJNrd2Hifk6ZDOdbDWF3l6W9UMgrCuprvg4Zc8mF3AuPZ/bt EITT9mK88aDHwVzA1pdcUDbX+rqKSFAezEiTAvDDbBKABbKU9hoASF0X11DPwqgpO03t gs3HCtNP359I75Fvz9ZZPVX2XL1u2xnf128AxaBacK1Wq6TObOmG7FOeh3+AsIdT+ZGp Ka6w== X-Gm-Message-State: AOJu0YwOiIvQ/n/x1vxnSn46MfqWS3yhQnaKi76HKo1Z8WYg3v5Q3LVO 97zabAIaqEf6Pqk5z5bH+EOSioJn4+tP3ALALmk4nh94vX4Iz30YmsuKvCoXx0pGhGUOzovUv5D 96Q6pp7JZgLGFroEOQt7J+LFc/qXMkw== X-Google-Smtp-Source: AGHT+IHGt0/AveKGVTqbGRQUYs5Rblpb3rlSl/nvbU2YnwX1o7HUSDJoiLDwpJq6/fwBsRRBne9I7RjF1U2MD6ea8tA= X-Received: by 2002:a05:6820:1ace:b0:5e1:e65d:5148 with SMTP id 006d021491bc7-5e20145aa83mr1235373eaf.6.1726143203348; Thu, 12 Sep 2024 05:13:23 -0700 (PDT) MIME-Version: 1.0 References: <3908085.1726090788@sss.pgh.pa.us> In-Reply-To: <3908085.1726090788@sss.pgh.pa.us> From: Dominique Devienne Date: Thu, 12 Sep 2024 14:13:12 +0200 Message-ID: Subject: Re: Backward compat issue with v16 around ROLEs To: Tom Lane Cc: pgsql-general@lists.postgresql.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, Sep 11, 2024 at 11:39=E2=80=AFPM Tom Lane wrote= : > Dominique Devienne writes: > > Hi. I'm going around in circles trying to solve an issue with our > > system when running against a PostgreSQL v16 server. Which is linked > > to the weakening of CREATEROLE to have more granular permissions. > > I'm not entirely sure, but I think the relevant v16 change is that > CREATEROLE used to imply having ADMIN on every (non-superuser) role. Yes, sure. This meant the ability to do GRANTs was independent of the ROLE graph, when you had CREATEROLE. I completely agree it wasn't right. But backward-compatibility matter too. > Now you have to actually have a WITH ADMIN OPTION grant. Yes, but because this modifies the ROLE graph, PostgreSQL is now adding "artificail" edges to the graph, which make some graphs that used to be DAGs, not longer DAGs leading to errors. That's a pretty important change, which from my POV, is kinda a regression. (there, I used to big word...). > You do automatically get WITH ADMIN OPTION on roles > you create yourself --- but in this example, dd_owner did > not create dd_admin. Because it can't (in v16+). Because dd_admin is a "group" role for the subset of internal user roles (all created by dd_owner) which are supposed to become dd_owner. The fact dd_owner created dd_user in the past was not an edge in the graph. So dd_user member of dd_admin member of dd_owner was OK. But because v16+ adds that dd_owner member of dd_user, because it created it, breaks the DAG. I think the fundamental flaw might be that an "ADMIN-only edge" is considered the same way in the graph, than a "SET edge". ADMIN-only edges should be considered only as the set of ROLEs one can administer, and nothing else, and not really participate in the ROLE DAG. Maybe it's a naive view on my part, but how else to fix the "regression" of my use-case? > regards, tom lane Hopefully we can continue a constructive discussion on this, and I didn't alienate anyone. I'm no PostgreSQL Hacker, nor the sharpest mind around, and I'm just thinking aloud above. Currently, I'm still stuck with no solution, thus still need help. --DD