public inbox for [email protected]
help / color / mirror / Atom feedFrom: Dominique Devienne <[email protected]>
To: Pavel Luzanov <[email protected]>
Cc: David G. Johnston <[email protected]>
Cc: Wolfgang Walther <[email protected]>
Cc: [email protected]
Subject: Re: Backward compat issue with v16 around ROLEs
Date: Thu, 12 Sep 2024 15:45:01 +0200
Message-ID: <CAFCRh-8d9+GZSXzK=UhJKOq+BTVt9eG0E4Zu6dALo-OaOpunYQ@mail.gmail.com> (raw)
In-Reply-To: <CAFCRh-_ZVP4emEKSGYJoM2hP657z1ZTq=UVkb7xZCYdByawFKQ@mail.gmail.com>
References: <CAFCRh-8+PGGTuqg=rSKA533D0dqYAgq69UzSqMm67VEW02nZyQ@mail.gmail.com>
<CAKFQuwYK2Vdnbdaxh9QF_0PYpztg51nc-iqYeiKDfpzek7hTdQ@mail.gmail.com>
<CAFCRh-8ttK7AexZtZq-vcj+u5e2F93HEs63jrkEH0pq6Gf1TWw@mail.gmail.com>
<[email protected]>
<CAKFQuwZL96kB2mR4SG0=Hig21mwv5AhkxjZRGCYoqeYzPBv6Tw@mail.gmail.com>
<[email protected]>
<CAFCRh-_ZVP4emEKSGYJoM2hP657z1ZTq=UVkb7xZCYdByawFKQ@mail.gmail.com>
On Thu, Sep 12, 2024 at 2:40 PM Dominique Devienne <[email protected]> wrote:
> Basically the above explain why we have that
> dd_user (INHERIT)
> `-> member-of dd_admin (NOINHERIT)
> `-> member-of dd_owner (INHERIT).
>
> In pre-v16, once again, this was fine.
> Because v16+ adds that dd_owner member-of dd_user (ADMIN)
> edge, things break down.
Another way to look at it is this:
=== v14 ===
ddevienne=> create role dd_child;
CREATE ROLE
ddevienne=> select pg_has_role(current_role, 'dd_child', 'MEMBER');
pg_has_role
-------------
f
(1 row)
=== v16 ===
ddevienne=> create role dd_child;
CREATE ROLE
ddevienne=> select pg_has_role(current_role, 'dd_child', 'MEMBER');
pg_has_role
-------------
t
(1 row)
Any existing ROLE graph which had "back-edges" (GRANTs) from a ROLE
back to the ROLE that created it, valid in pre-v16, becomes invalid in v16+.
And there's no work-around. Tough luck, take a hike...
And our security model and its implementation basically requires such
back-edges.
My contention is that if this is an ADMIN-only edge, it shouldn't be
deemed circular.
Kind of the same way you break cycles in FKs by making one side DEFERRED,
ADMIN edges should be "weaker" than SET ones, and break cycles.
Maybe I'm the only one in the world using PostgreSQL in that situation?
Somehow I doubt that. Most people and organization are slow to upgrade,
and v16 is new enough that it wasn't exposed to enough real world usage yet.
So this is issue is only get bigger as time passes IMHO.
Thanks, --DD
view thread (15+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Backward compat issue with v16 around ROLEs
In-Reply-To: <CAFCRh-8d9+GZSXzK=UhJKOq+BTVt9eG0E4Zu6dALo-OaOpunYQ@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox