Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sok8L-00DUal-CU for pgsql-general@arkaria.postgresql.org; Thu, 12 Sep 2024 13:45:18 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sok8J-008Xjn-W6 for pgsql-general@arkaria.postgresql.org; Thu, 12 Sep 2024 13:45:16 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sok8J-008XhU-JK for pgsql-general@lists.postgresql.org; Thu, 12 Sep 2024 13:45:15 +0000 Received: from mail-oo1-xc31.google.com ([2607:f8b0:4864:20::c31]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sok8G-000oJq-QY for pgsql-general@lists.postgresql.org; Thu, 12 Sep 2024 13:45:14 +0000 Received: by mail-oo1-xc31.google.com with SMTP id 006d021491bc7-5e1b55346c0so388127eaf.3 for ; Thu, 12 Sep 2024 06:45:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726148712; x=1726753512; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=71s6yLTFnqzmslu7mfZA/0CVmY/NkLVBrcOw/NZmb40=; b=UM4df4bNkQwgbbFNNK+YtZUf1yjNoct+0SPFkj+ZvCGJFtAX+ThjFDy68356MI7V6J ehp9WmxyA7iVXDMfwcc2f7IOGlr+Wk7XnKOuTs7WRB2FZ10A9s6sv0Cxb6HT3OqA/1ly +GRcS9BKh7ertaQbk7emrzjNIytEPcXeoqFehcKt48Zn+S66blVRSl6YWK33CNsDPSVk 4u88OpnUZXKW4PfIJBDcOByw5AorC2WTLImauaEmewA+lNNz7++BAKfd0w6liUjWNYrb gfmrrO/OnjSnKzRg5pYwPtSFi8a2bPaHKH1zeWWLXoUJr+XsEqbk/Z4XT/IhswTqe4ZQ LnSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726148712; x=1726753512; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=71s6yLTFnqzmslu7mfZA/0CVmY/NkLVBrcOw/NZmb40=; b=czgbnKoV9vkkbuJoM/NlZD+bgdEZrB0wFjPYI3KMLllEmtC2JI/VMgUozKQRPDVc89 5SLyFTlnSM2wfRuPHEVG0pZn7s1JvxoMoQEp+lXWBIG1eAGRJTlWntWcuNp0qlPGzmwv 8jpcokQWFy9psGt68lFHhq/omqWTkUkLGeqMP0ldYuvj3snvivIIOXOcE9RMDZ247Cz0 hopgtEmOjAqIFs62S0+b3VpWbNrQTLNRMNrf/Zb522Vzx+4Q9/VbGX3sU8SJGQkGe7lt PpyO8iJlSYVbZcjXnfEXafDjBOxbb/Zmk1EArKx/nxANuZ67Jta2+Uwlp+ZSzuLlZJWW 7vbQ== X-Forwarded-Encrypted: i=1; AJvYcCUYpG2zis7h784u4QKOOk+EBBJ/xfmWM9sZnPA4rbfYTcjVQWV38y1eTY7exzIeegX/tDFqYqAAlrHLrr3U@lists.postgresql.org X-Gm-Message-State: AOJu0YzoOukPTOgtn+bl8CnopXeE68l9wN4Fwa7XaSZsObaO3uZG8snI fIgCsemmo4i/8LGemsydTpWrCm5t3G4g69mS2mTSkONnZ4UylulT33DEO9N+hkSPuzJJw/W8yCJ xYcaPJ67vVp+UXEtsmPgng504EgA= X-Google-Smtp-Source: AGHT+IGJ2njxQpkCk2rFXkGUtHHXmrsFQCiBjHFl4/9tggcMVhr1hz4njh7WP4yCYUWAwstpsBPcM8ToCabNeZlDBhs= X-Received: by 2002:a05:6820:270c:b0:5e1:ea03:928f with SMTP id 006d021491bc7-5e2014555f8mr1331015eaf.7.1726148712242; Thu, 12 Sep 2024 06:45:12 -0700 (PDT) MIME-Version: 1.0 References: <4308abb3-269e-4cee-a48f-c95d49ede6c2@postgrespro.ru> In-Reply-To: From: Dominique Devienne Date: Thu, 12 Sep 2024 15:45:01 +0200 Message-ID: Subject: Re: Backward compat issue with v16 around ROLEs To: Pavel Luzanov Cc: "David G. Johnston" , Wolfgang Walther , pgsql-general@lists.postgresql.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, Sep 12, 2024 at 2:40=E2=80=AFPM Dominique Devienne wrote: > Basically the above explain why we have that > dd_user (INHERIT) > `-> member-of dd_admin (NOINHERIT) > `-> member-of dd_owner (INHERIT). > > In pre-v16, once again, this was fine. > Because v16+ adds that dd_owner member-of dd_user (ADMIN) > edge, things break down. Another way to look at it is this: =3D=3D=3D v14 =3D=3D=3D ddevienne=3D> create role dd_child; CREATE ROLE ddevienne=3D> select pg_has_role(current_role, 'dd_child', 'MEMBER'); pg_has_role ------------- f (1 row) =3D=3D=3D v16 =3D=3D=3D ddevienne=3D> create role dd_child; CREATE ROLE ddevienne=3D> select pg_has_role(current_role, 'dd_child', 'MEMBER'); pg_has_role ------------- t (1 row) Any existing ROLE graph which had "back-edges" (GRANTs) from a ROLE back to the ROLE that created it, valid in pre-v16, becomes invalid in v16+= . And there's no work-around. Tough luck, take a hike... And our security model and its implementation basically requires such back-edges. My contention is that if this is an ADMIN-only edge, it shouldn't be deemed circular. Kind of the same way you break cycles in FKs by making one side DEFERRED, ADMIN edges should be "weaker" than SET ones, and break cycles. Maybe I'm the only one in the world using PostgreSQL in that situation? Somehow I doubt that. Most people and organization are slow to upgrade, and v16 is new enough that it wasn't exposed to enough real world usage yet= . So this is issue is only get bigger as time passes IMHO. Thanks, --DD