Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sQwPT-00CR43-GT for pgsql-general@arkaria.postgresql.org; Mon, 08 Jul 2024 22:00:35 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sQwPR-009xkk-VK for pgsql-general@arkaria.postgresql.org; Mon, 08 Jul 2024 22:00:33 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sQwPR-009xkb-K2 for pgsql-general@lists.postgresql.org; Mon, 08 Jul 2024 22:00:33 +0000 Received: from mail-ot1-x332.google.com ([2607:f8b0:4864:20::332]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sQwPP-0017FH-B0 for pgsql-general@postgresql.org; Mon, 08 Jul 2024 22:00:33 +0000 Received: by mail-ot1-x332.google.com with SMTP id 46e09a7af769-7035e281970so1033909a34.0 for ; Mon, 08 Jul 2024 15:00:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720476029; x=1721080829; darn=postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=HU4Xc3FiakKNxCWSRGm4ltE+wUeOPzeKhgA7eE9iNVc=; b=X5P8L2PJHkRU4bk3ifucjqWG+0PUCNZxdSsLDAcxJIm+qzcmKK7RfoqkqMUfB5Svrb rxwS8p9OI7VhL00OVIC7j8UbeKz4ImnxBdqgmKUWLaTauS6E8IugCTQ9K8weHM3Qf+Nw +7yWEcxep3e4r6Pu48cZMCBc5/HA2lajd70G77s23K4SAJUnmBLTjPP7U8g7rd70fCvd 3E7xlKXBTTdLrifPL4KsNYtBm+uY3tn9WOzeLP0/v9XHvTEVdxjaQzwyXZAjzHU3+z7V 7gHljTazewR6xlE29BgwNsE2qkS4l94giZ+ss7Ige4k/y+1/H+/vmdORJZhUns9ziG7J b0ZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720476029; x=1721080829; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HU4Xc3FiakKNxCWSRGm4ltE+wUeOPzeKhgA7eE9iNVc=; b=cN8laxAvvQYgeM4/4Rkjrb3PLiukZC4hWibqdr0mdj2JZzGF1MVhR54k/+JayncXN3 x3IdfT8qeZN/jk2TybRRPYgJSgMld+Zhy5UF+OHVBcoexy5b7Ny/e/mmu2CrXf6hqljv WbcWq9gSlTgmigBg9rPg6yg0O7WJIlyubP9JlrTp73Nl8r38cUrxSdVzXLEDFaOSB7iF YMRGhoJdTDtCqDnRmyncHuVNxj1NoG6lwmwisOnqwfVTJi8CwmAaOwUThSnnlRB/SCMk 8XoCJuY+xtZUCw+MupA617xsPW4W2aO873QNQb5lR1wVqs2HcySQKhEXESYJyiDBl6Ag C8Qw== X-Forwarded-Encrypted: i=1; AJvYcCVwcmLTUp4GI5X7LjXSyKOrp6+qM+VgzBaFkz3paj0SOSwLGrgLH1ydUTO4E3gQ7JAODziz6/Csn4M55J/6WBtVnTPEhrdNvQPQEibR X-Gm-Message-State: AOJu0Yx2MQmeviNDIgSLBPcyq31eKN7ur3hxsbvfPeBwfQSlrWfk5+YY 0PYiRb0coAnlEr+h+LnS+JyEKCi/Hd2EZww68FXikpZGALMKy7fxa+9jsmB6ELKJNrE+iE8iD4H OIWHO21JfpCM9ihtIbWOsY7mg9Go= X-Google-Smtp-Source: AGHT+IHIPCQQN/kIHpbaXGXYmz+h3eDXYrDnzh3y7g0F87cmTssGgbUl5YacYGFI/LPSmPhGMtwcV2eDnzcoF4uIVDU= X-Received: by 2002:a05:6870:7b4b:b0:25d:fea2:2f2f with SMTP id 586e51a60fabf-25eafb53300mr266999fac.27.1720476029451; Mon, 08 Jul 2024 15:00:29 -0700 (PDT) MIME-Version: 1.0 References: <69A2A7BD-F8CA-4067-B229-B5F9FC6A884F@thebuild.com> <2e3e4ddb-52b5-49b2-b363-00e3f12a83a0@postgrespro.ru> <1214992.1720473388@sss.pgh.pa.us> In-Reply-To: <1214992.1720473388@sss.pgh.pa.us> From: "David G. Johnston" Date: Mon, 8 Jul 2024 14:59:51 -0700 Message-ID: Subject: Re: v16 roles, SET FALSE, INHERIT FALSE, ADMIN FALSE To: Tom Lane Cc: Pavel Luzanov , Christophe Pettus , pgsql-general Content-Type: multipart/alternative; boundary="0000000000009485f3061cc38a82" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000009485f3061cc38a82 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jul 8, 2024 at 2:16=E2=80=AFPM Tom Lane wrote: > Pavel Luzanov writes: > > On 08.07.2024 22:22, Christophe Pettus wrote: > >> This is more curiosity than anything else. In the v16 role system, is > there actually any reason to grant membership in a role to a different > role, but with SET FALSE, INHERIT FALSE, and ADMIN FALSE? Does the role > granted membership gain any ability it didn't have before in that case? > > > Looks like there is one ability. > > Authentication in pg_hba.conf "USER" field via +role syntax. > > Hmm, if that check doesn't require INHERIT TRUE I'd say it's > a bug. > > The code doesn't support that claim. It seems quite intentional that this check is purely on membership - what with ACL having a dedicated function for the purpose of checking plain recursive membership that only this and the circularity check code use. I suppose it makes sense too - at least unless you also check for SET - since it seems desirable to allow login as a member role to a group you can only SET to and don't inherit from. David J. --0000000000009485f3061cc38a82 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Mon, Jul 8, 2024 at 2:16=E2=80=AFPM Tom Lane <tgl@sss.pgh.pa.us> wrote:
<= /div>
Pavel Luzanov <p.luzanov@postgrespro.ru> writes:
> On 08.07.2024 22:22, Christophe Pettus wrote:
>> This is more curiosity than anything else.=C2=A0 In the v16 role s= ystem, is there actually any reason to grant membership in a role to a diff= erent role, but with SET FALSE, INHERIT FALSE, and ADMIN FALSE?=C2=A0 Does = the role granted membership gain any ability it didn't have before in t= hat case?

> Looks like there is one ability.
> Authentication in pg_hba.conf "USER" field via +role syntax.=

Hmm, if that check doesn't require INHERIT TRUE I'd say it's a bug.


The code doesn't support t= hat claim.=C2=A0 It seems quite intentional that this check is purely on me= mbership - what with ACL having a dedicated function for the purpose of che= cking plain recursive membership that only this=C2=A0and the circularity ch= eck code use.=C2=A0 I suppose it makes sense too - at least unless you also= check for SET - since it seems desirable=C2=A0to allow login as a member r= ole to a group you can only SET to and don't inherit from.

=
David J.

--0000000000009485f3061cc38a82--