Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1soj82-00DNRJ-JJ for pgsql-general@arkaria.postgresql.org; Thu, 12 Sep 2024 12:40:55 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1soj81-0074Uv-2b for pgsql-general@arkaria.postgresql.org; Thu, 12 Sep 2024 12:40:53 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1soj80-0074T3-Ng for pgsql-general@lists.postgresql.org; Thu, 12 Sep 2024 12:40:52 +0000 Received: from mail-ot1-x32f.google.com ([2607:f8b0:4864:20::32f]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1soj7x-000olS-1c for pgsql-general@lists.postgresql.org; Thu, 12 Sep 2024 12:40:52 +0000 Received: by mail-ot1-x32f.google.com with SMTP id 46e09a7af769-70f645a30dcso455201a34.3 for ; Thu, 12 Sep 2024 05:40:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726144848; x=1726749648; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=xgIQBWlbiOlC+4N7/R6jL7PrjM49iPz03lVe5xkjUWA=; b=eEQAkalOWrfB6XsEYQzFcJIWzP96N2yV6OgA5R91Kab5o1AR2sXDgJXY888NX5W8Cu dkotrVX+yfirCepFHgH2PxsN6s2MXm4ZHsT+XnS3aHqkVvjj0TRqSdJBz/qvSNiU6Sdi UpTf5OKQZpf0ZygRfb7xOu5vKlPh9T1W2oXazli5DyVOHcZmljmJpdSNoFxyv8jy2boP aH4oO0HCsYRe55vRrUUn6iZbe8Ydz6rlrPIuvgzZM4sNKZlydzfPtLCzPcdUcWHswVbJ B/FMeql3K77pgbJG3uboAf8MrgdhfnDLo7LhtzOyrhDmUrsCbB4N0MU+9BpsBInma2nz 4jXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726144848; x=1726749648; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xgIQBWlbiOlC+4N7/R6jL7PrjM49iPz03lVe5xkjUWA=; b=uX7JXp09q17foey8/BpbTYopZvfsmYefQ8jPuCFz7Mn7hjtgzL/jn5PCxFhWaaoiKU sBZAKysfLzG823LkZCk+m3nJ3KGWmre9kh5R1tBMiA3drOOv6Jsk4M/6rPALI/nmXCuS hTuexKTXI7LxQqyr8gJC+l3qmgXviXsyYwIwXjAXQhG7nOs9vyAmscL9CrxX/i7T2kQV mkfjDC3JnfVYcUTt7kDDgxCVDH2kc07XPtGC5OkQk6SQ8JdAvXXhFQfDro+F3zU4JT3y SU8UijC7fqbX7TQWITsrNXS9tjXdlJl3Ke3PcghxRqVJ6mevH8E9eWozUkLBZmwgvijd Rdug== X-Forwarded-Encrypted: i=1; AJvYcCWh7YlYqSukmSucwpar2QfDW5rfej4+wO6dkLq8M0LfTGEc5nryJ0SgbaE/l8hpNPLrcbzu7FMC0SEhwakg@lists.postgresql.org X-Gm-Message-State: AOJu0Yw2ZQLIUqzPDexG609m3dlfXJ+kaNCBIeYvB6QcoX8PIGbsv/08 TlFXUyawYkqWcnqScTKssS2ZLPE/L+x3baPfxMUhXSyyIY53FCgMY8y1dl12YaVA3NGvo+1hXxt w5FNfulIKhjqYafoksuNiiNa8sQ8= X-Google-Smtp-Source: AGHT+IES5PfnTKSTgZ5vkXjc8zByQaYBwsFcOXPh4n/jhspAAbY9rkZtJmM99Ap47t2oTyqu9Wd0Kga0lgRRZK0/Ap4= X-Received: by 2002:a05:6830:2802:b0:709:4793:8757 with SMTP id 46e09a7af769-7110945bf81mr2129711a34.2.1726144848240; Thu, 12 Sep 2024 05:40:48 -0700 (PDT) MIME-Version: 1.0 References: <4308abb3-269e-4cee-a48f-c95d49ede6c2@postgrespro.ru> In-Reply-To: <4308abb3-269e-4cee-a48f-c95d49ede6c2@postgrespro.ru> From: Dominique Devienne Date: Thu, 12 Sep 2024 14:40:36 +0200 Message-ID: Subject: Re: Backward compat issue with v16 around ROLEs To: Pavel Luzanov Cc: "David G. Johnston" , Wolfgang Walther , pgsql-general@lists.postgresql.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, Sep 11, 2024 at 10:20=E2=80=AFPM Pavel Luzanov wrote: > On 11.09.2024 22:21, David G. Johnston wrote: >> I think this needs to be the other way around: > [...]. In any case fixing the with admin error is the correct approach. > > Unfortunately, it won't work. > Dominique is right. This will lead to circularities. Exactly!!! At this point, I think there's a fundamental in the way things stand... If the ROLE P has only ADMIN on another C, and neither SET nor INHERIT, there should NOT be circularities introduced, even if C ends up a member of= P. That's I suspect the ONLY way to be backward compatible with pre-v16. > I think this is a migration issue for v16 and it is not mentioned in rele= ase notes. You bet it is. But just mentioning it on the release notes doesn't do me any good :( Something valid and that used to work, is now impossible, with no known workaround at this point. Isn't that the very definition of a regress= ion? I don't mean to offend anyone. But as I don't see any way out of my v16+ conundrum, I have to admit to being a little peeved. > I didn't quite understand the exact purpose of the roles dd_owner and dd_= admin. I've tried to explain the rational in my initial post. Not sure I can do a better job, but let me try to explain it from a different angle, which I think is in line in spirit with the CREATEROLE changes / weakening. Our system uses a lot of internal roles to implement our security model. All those roles are intended to be created and managed by a single "root" role (my dd_owner in the example), with CREATEROLE. All administrative task go through that role. So it acts as a kind of "local" SUPERUSER for our internal roles (which come and go). Also note that ALL our internal roles are NOLOGIN. And our GRANTs are all "internal", to/from our internal ROLEs, managed by OURT system. So it's an isolated island of ROLEs and GRANTs. And the DBA "binds" a "real" USER / LOGIN role to one of our internal roles. We don't manage those LOGIN roles, these are roles used for authentication, while ours are about authorization. And finally, in our security model, some of our "user" role (again, internal NOLOGIN roles we manage) are supposed to be able to have full adminstrative privileges on the whole system. That's why we have that special "admin" role. (there's an actual reason for the "admin" role, and that is NOINHERIT. internal "user" roles need to be INHERIT for their "downstream" membership to "data" roles. But we don't want INHERIT for the "upstream" admin role membership. So we needed that intermediate "admin" role, so we could enforce the NOINHERIT to administrative tasks). I'm afraid I've lost most people above, but that's true... Basically the above explain why we have that dd_user (INHERIT) `-> member-of dd_admin (NOINHERIT) `-> member-of dd_owner (INHERIT). In pre-v16, once again, this was fine. Because v16+ adds that dd_owner member-of dd_user (ADMIN) edge, things break down. > But a possible way is to use dd_admin to create roles. > For example: > > create role dd_admin login createrole; > \c - dd_admin > create role dd_owner noinherit; > > create role dd_user login; > grant dd_owner to dd_user; > > \c - dd_user > set role dd_owner; But if you back to my initial post, you'd read that once dd_user has become dd_owner, it's supposed to be able to do administrative task. But because we've swapped the dd_owner and dd_admin responsabilities, dd_owner is "powerless" now. It can't create roles or do grants. So we're back to square one... :( That's why I'm starting to think there's a fundamental flaw, as I tried to explain in this reply and my other one to Tom, which is basically leaving me at an impasss regarding v16+. Can you explain why my naive "fix" to NOT consider ADMIN-only (new in v16+) edges in the graph for circularities could be wrong? Then again, even if it was a real "fix" (doubtful!), and was in v18 (even more doubtful!!), that doesn't help me short term :( --DD