Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nSR60-0002W0-IV for pgsql-hackers@arkaria.postgresql.org; Thu, 10 Mar 2022 22:17:20 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nSR5z-00043t-EC for pgsql-hackers@arkaria.postgresql.org; Thu, 10 Mar 2022 22:17:19 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nSR5x-000436-W3 for pgsql-hackers@lists.postgresql.org; Thu, 10 Mar 2022 22:17:19 +0000 Received: from mail-pl1-x62f.google.com ([2607:f8b0:4864:20::62f]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1nSR5r-0004qO-4v for pgsql-hackers@postgresql.org; Thu, 10 Mar 2022 22:17:16 +0000 Received: by mail-pl1-x62f.google.com with SMTP id z3so6114078plg.8 for ; Thu, 10 Mar 2022 14:17:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=v6EhHLRD19sjE5TAHbgvm48bvHdzylKupHgWCRxsT6M=; b=JiRCPpQVoMbjlIuptUrHEUT9xXvwN/UJG5vJJ4i8jVKJdjFCKUGfoKVCY1R6+PmHyl cyWp7C3fIL5nBT6WnK9QYT91QFMY5DdlLEc+qu2FhoDjVTasFciTY0bahO/nOvVjM6vc gIBsIMuAM69HJdLl+CBuCDT3OKq+XuaSpjUZf1+HuwJ3edF2WosERchlExvDWA2mnQn9 6ebkVSdkB25wnDP9XmclYErn6SJTjRQ4cv9rk2OAmc6a6HMaAZ89iTZzmb4cBME51MjE o9N/wYADBcEInqaBKZ3i+Xfjn4AuZRXnBaf11TWo7c/KXbrmRzCRXGc8u5jBivbXaoRS rLeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=v6EhHLRD19sjE5TAHbgvm48bvHdzylKupHgWCRxsT6M=; b=ui4wQBBGAhFhKODJrw5sDA6UXyqoLql6mBrrQ6UXFPTtcQZsNOA7Bf2SD0H5eARqWT t+vS6fgTpBkTirexeWpRiaBPe+6B3rCgOQ6qAprrsBm1eUQPeHqp2F8E3JZo+WktJyXK Q/RHbE6+QkDGT+L7+JBr4xGBBfajMgqwRuH47eGz1ybh5EK8VUEsVfnh62v9u0EOHt9n UU8O1zcwAPKX3xCZPbHfcawxu3elfFu0PmYll4xXxaLW74ui0FpEXIHzEftLr3speZkw 7Ba5p7UoL7qn95/jZRJmTt4ssCAik4gDo66ziiqOeA4wGMdcSl2rHIxJXum7pxfbQT26 vFVg== X-Gm-Message-State: AOAM533SA4t1y1xwgaf02m4LZRsNzuiFbHqdZorFGUbdqtn2ldhLoAiu WqgX+5ODAyNFMjdF5Uu4pF5kRs6C3miwRSMvaLT/BcfRSsYydfRtwkd+9FrCq67Q76PSIMJPpsT zlVxzJJCjT3rNLoMiCkL8cqWeqWQP2cLgb1ZxfMh72DqXZ8+ZMeVVn4/+MSFUoy7IztiQqO+onp y9znz7M1D8sBT9F6mIaX/g7a/WMRXkpZuzvKYJ X-Google-Smtp-Source: ABdhPJzxbgzfdTjyGhPgizlmoLjAYcK+z4Cw9trLD6ohlKQyZeAc2w2Xlnb0WLYPvoT2oxPtcb59sQ== X-Received: by 2002:a17:902:bb02:b0:151:56a8:f80b with SMTP id im2-20020a170902bb0200b0015156a8f80bmr7494508plb.30.1646950629774; Thu, 10 Mar 2022 14:17:09 -0800 (PST) Received: from laptop280-ma-us.hitronhub.home (24-113-193-150.wavecable.com. [24.113.193.150]) by smtp.gmail.com with ESMTPSA id t71-20020a63784a000000b00380a9f7367asm6701735pgc.77.2022.03.10.14.17.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 Mar 2022 14:17:09 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Subject: Re: role self-revocation From: Mark Dilger In-Reply-To: Date: Thu, 10 Mar 2022 14:17:08 -0800 Cc: "David G. Johnston" , Stephen Frost , Peter Eisentraut , Joshua Brindle , Andrew Dunstan , PostgreSQL-development Content-Transfer-Encoding: quoted-printable Message-Id: <0AFBA185-6812-45B1-A1FD-D1C432F47C87@enterprisedb.com> References: <20220228190923.GJ10577@tamriel.snowman.net> <0c095133-7dc7-7a11-b773-0318807380db@enterprisedb.com> <2e2f9ae2-50fc-1a03-394c-ed4288a8cae2@enterprisedb.com> <20220310195849.GH10577@tamriel.snowman.net> To: Robert Haas X-Mailer: Apple Mail (2.3608.120.23.2.7) X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On Mar 10, 2022, at 2:01 PM, Robert Haas = wrote: >=20 > It sounds like you prefer a behavior where CREATEROLE gives power over > all non-superusers, but that seems pretty limiting to me. Why can't > someone want to create a user with power over some users but not > others? I agree with Robert on this. Over at [1], I introduced a patch series to (a) change CREATEROLE and = (b) introduce role ownership. Part (a) wasn't that controversial. The = patch series failed to make it for postgres 15 on account of (b). The = patch didn't go quite far enough, but with it applied, this is an = example of a min-superuser "lord" operating within database "fiefdom": fiefdom=3D# -- mini-superuser who can create roles and write all data fiefdom=3D# CREATE ROLE lord fiefdom-# WITH CREATEROLE fiefdom-# IN ROLE pg_write_all_data; CREATE ROLE fiefdom=3D#=20 fiefdom=3D# -- group which "lord" belongs to fiefdom=3D# CREATE GROUP squire fiefdom-# ROLE lord; CREATE ROLE fiefdom=3D#=20 fiefdom=3D# -- group which "lord" has no connection to fiefdom=3D# CREATE GROUP paladin; CREATE ROLE fiefdom=3D#=20 fiefdom=3D# SET SESSION AUTHORIZATION lord; SET fiefdom=3D>=20 fiefdom=3D> -- fail, merely a member of "squire" fiefdom=3D> CREATE ROLE peon IN ROLE squire; ERROR: must have admin option on role "squire" fiefdom=3D>=20 fiefdom=3D> -- fail, no privilege to grant CREATEDB=20 fiefdom=3D> CREATE ROLE peon CREATEDB; ERROR: must have createdb privilege to create createdb users fiefdom=3D>=20 fiefdom=3D> RESET SESSION AUTHORIZATION; RESET fiefdom=3D#=20 fiefdom=3D# -- grant admin over "squire" to "lord" fiefdom=3D# GRANT squire fiefdom-# TO lord fiefdom-# WITH ADMIN OPTION; GRANT ROLE fiefdom=3D#=20 fiefdom=3D# SET SESSION AUTHORIZATION lord; SET fiefdom=3D>=20 fiefdom=3D> -- ok, have both "CREATEROLE" and admin option for "squire" fiefdom=3D> CREATE ROLE peon IN ROLE squire; CREATE ROLE fiefdom=3D>=20 fiefdom=3D> -- fail, no privilege to grant CREATEDB fiefdom=3D> CREATE ROLE peasant CREATEDB IN ROLE squire; ERROR: must have createdb privilege to create createdb users fiefdom=3D>=20 fiefdom=3D> RESET SESSION AUTHORIZATION; RESET fiefdom=3D#=20 fiefdom=3D# -- Give lord the missing privilege fiefdom=3D# GRANT CREATEDB TO lord; ERROR: role "createdb" does not exist fiefdom=3D#=20 fiefdom=3D# RESET SESSION AUTHORIZATION; RESET fiefdom=3D#=20 fiefdom=3D# -- ok, have "CREATEROLE", "CREATEDB", and admin option for = "squire" fiefdom=3D# CREATE ROLE peasant CREATEDB IN ROLE squire; CREATE ROLE The problem with this is that "lord" needs CREATEDB to grant CREATEDB, = but really it should need something like grant option on "CREATEDB". = But that's hard to do with the existing system, given the way these = privilege bits are represented. If we added a few more built-in pg_* = roles, such as pg_create_db, it would just work. CREATEROLE itself = could be reimagined as pg_create_role, and then users could be granted = into this role with or without admin option, meaning they could/couldn't = further give it away. I think that would be a necessary component to = Joshua's "bot" use-case, since the bot must itself have the privilege to = create roles, but shouldn't necessarily be trusted with the privilege to = create additional roles who have it. [1] = https://www.postgresql.org/message-id/53C7DF4C-8463-4647-9DFD-779B5E1861C4= @amazon.com =E2=80=94 Mark Dilger EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company