Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nwr5S-0000gj-4v for pgsql-hackers@arkaria.postgresql.org; Thu, 02 Jun 2022 20:06:30 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nwr5Q-0008NU-LB for pgsql-hackers@arkaria.postgresql.org; Thu, 02 Jun 2022 20:06:28 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nwr5Q-0008NK-9u for pgsql-hackers@lists.postgresql.org; Thu, 02 Jun 2022 20:06:28 +0000 Received: from mail-il1-x131.google.com ([2607:f8b0:4864:20::131]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1nwr5J-00086R-LD for pgsql-hackers@postgresql.org; Thu, 02 Jun 2022 20:06:27 +0000 Received: by mail-il1-x131.google.com with SMTP id b11so4130884ilr.4 for ; Thu, 02 Jun 2022 13:06:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=bUG5nlPOydnRCAGhh5l4EjAB48/vgFkM76Qy3uo5Yf0=; b=KHoQlkhTQKCMB5zuKCkWluiWj42DwNhd6AbbCOBWvN4dvMF7m+I+4fCKpIachDSDx8 8R2oCgp7zvEzvMMqkysG3lpHcPcaCmMNFC7vW7/ey1rqrCTNl0BJRMssVj0kocVIGs+O G8CBitqJi0ddJvO62pcDARYzw17pPzKFiugwEyfTU9z1843JFfAwrrV23YUFnP67u+lv lYKTkGigKemwoYXZck9ircfErCtEXV6N8WCo1m1l/zA3PX5Ps2aThR3w8dYYtie4N8WJ cyYUoU5oIfCdu+9IAhmRx+uGIfuCr9HGCv2wBPf67YrN+sREAAugwfX+4d6tHsZozdG7 VORw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=bUG5nlPOydnRCAGhh5l4EjAB48/vgFkM76Qy3uo5Yf0=; b=UrEip7kW0+Xq9nsNmZiWvhPC+9nlgtlX2lFW93iTZXLMVa+xHFlOpdjoZv9elURG7V F3C7XzM+JJlbIB4UgbbsPlj8U2MZMU3UNI9hPx/Sx9seoYdyZSFjeLUdDbCkO1+qYjzd l8H184fnVbJP+NT7DQPzLTpFCN+DrSzLbT4G6FvBQADtHTSxKF65ty+p6/0Rqii3dIbq tpWt6kHklaJCTLPdsmk+b6DNVODIsBRr3HzsJVEOxkmwgzpUt1FxynLqKV436zQElVLv 9c9U2Pj/1MXu4w9HyhTOAhTAvQDItHX2hKALzCYyMWc46o0yhLdqqmoa7wd5fxFtdqch lhww== X-Gm-Message-State: AOAM531EpFFD8TKD4kXGnJEeOYzJclX5J5ZTjZxAevuCbqeVQtRZdoWW ROnf+pl9tUJuzxA1QkR0hHA= X-Google-Smtp-Source: ABdhPJzb/ZlfyBzdGZwl1/EkSFLmRWm9DRX4XSfqa2I0/Obqjwo+qfX1/8fge0JHJnYJ6z7GVg5o/w== X-Received: by 2002:a92:3609:0:b0:2c6:3595:2a25 with SMTP id d9-20020a923609000000b002c635952a25mr4112249ila.233.1654200380533; Thu, 02 Jun 2022 13:06:20 -0700 (PDT) Received: from nathanxps13 ([2600:1700:48f8:340f:57c6:42f3:8a24:19b1]) by smtp.gmail.com with ESMTPSA id c2-20020a02a602000000b0032ee4399d0asm1617085jam.80.2022.06.02.13.06.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Jun 2022 13:06:19 -0700 (PDT) Date: Thu, 2 Jun 2022 13:06:17 -0700 From: Nathan Bossart To: Robert Haas Cc: Joe Conway , Tom Lane , "Bossart, Nathan" , Stephen Frost , PostgreSQL-development Subject: Re: replacing role-level NOINHERIT with a grant-level option Message-ID: <20220602200617.GA2404070@nathanxps13> References: <0ED10807-9E7F-4BB5-9473-4668EE68AE2D@amazon.com> <4117557.1641329799@sss.pgh.pa.us> <730520.1644168290@sss.pgh.pa.us> <80af9ba7-ec24-9134-8fd9-00bf13f5c494@joeconway.com> <20220602180755.GA2402942@nathanxps13> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, Jun 02, 2022 at 03:37:34PM -0400, Robert Haas wrote: > On Thu, Jun 2, 2022 at 2:07 PM Nathan Bossart wrote: >> I think we should also consider replacing role attributes with predefined >> roles. I'm not sure that this proposal totally prepares us for such a >> change, given role attributes apply only to the specific role for which >> they are set and aren't inherited. ISTM in order to support that, we'd >> need even more enhanced functionality. For example, if I want 'robert' to >> be a superuser, and I want 'joe' to inherit the privileges of 'robert' but >> not 'pg_superuser', you'd need some way to specify inheriting only certain >> privileges possessed by an intermediate role. > > I guess we could think about adding something like an ONLY clause, > like GRANT ONLY robert TO joe. I feel a little bit uncomfortable about > that, though, because it assumes that robert is a superuser but his > own privileges are distinguishable from those of the superuser. Are > they really? If I can assume robert's identity, I can presumably > Trojan my way into the superuser account pretty easily. I'll just > define a little trigger on one of his tables. I don't really see a way > where we can ever make it safe to grant a non-superuser membership in > a superuser role. I was primarily looking at this from the angle of preserving current behavior when upgrading from a version with role attributes to a version without them. If it's alright that a role with privileges of a superuser role begins being treated like a superuser after an upgrade, then we probably don't need something like GRANT ONLY. I bet that's how a lot of people expect role attributes to work, anyway. I'm sure I did at some point. > But even if there is a way, I think that is a separate patch from what > I'm proposing here. [NO]INHERIT only has to do with what privileges > you can exercise without SET ROLE. To solve the problem you're talking > about here, you'd need a way to control what privileges are conferred > in any manner, which is related, but different. I agree that the role-attribute-to-predefined-role stuff needs its own thread. I just think it's worth designing this stuff with that in mind. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com