Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oT54E-0008V6-0x for pgsql-hackers@arkaria.postgresql.org; Tue, 30 Aug 2022 17:30:26 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1oT54C-0007PC-Jr for pgsql-hackers@arkaria.postgresql.org; Tue, 30 Aug 2022 17:30:24 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oT54C-0007P2-9X for pgsql-hackers@lists.postgresql.org; Tue, 30 Aug 2022 17:30:24 +0000 Received: from mail-pl1-x62c.google.com ([2607:f8b0:4864:20::62c]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1oT549-0004Bg-JE for pgsql-hackers@postgresql.org; Tue, 30 Aug 2022 17:30:23 +0000 Received: by mail-pl1-x62c.google.com with SMTP id l3so11783359plb.10 for ; Tue, 30 Aug 2022 10:30:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc; bh=gsVRZOf+0ZTB6H0XVHf5HJBxFdAZ57en8CUQstyV0oY=; b=neW1lPBjTRYyx0qYeYuZKQy/XxOecg5maYTJsdCJ5/96wDUe9RiCvHLH+jSmVaOBGT TF5gXQA7SgdkZ93QUVQSUeDPCK2TrAGYmdEnlSwdWXQV2GwZencQFpAoTlahjLk828BM 1AFQQkcJDR0O36oa/8inRyLpzn0giAC1c+M6Oje0H+r27dIeWBJ8ed9Nwbu/Tvfo7b3s zOCtxNg9y7vcebxuQyCKBQJVdxjgLeFAp90rK2TgqAuyg4x2GRFJL2QAcqCv3K7Umd+f kObFSoIjskjcDvWeBfaqLAZjOLaTdwnkfiuOWhOeer/Th65MhAR7pfAVThKefKpPCxqE Djlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc; bh=gsVRZOf+0ZTB6H0XVHf5HJBxFdAZ57en8CUQstyV0oY=; b=C6dbjyJEV8IAPixglrYUvdmChJIRXgBy9GLRYLYHbc7oBZxT3qApY9PJCATm3Do25M u3bsDmW9REqdXlKO83aLQxb8jru3SdJw4Lq09q5+EIqtuLqLLI05QOOjPi3T/eAIaJS+ E5XNTuNhQA6GFdmrkIuC6vxplSQBum15ZiksHOgbMkJmMdMJ+QHrly7se/w6bcJtGsqb asf87OkUs8teTtYuhW+zIcFPp9J9uVls48hMPynR8yuqO0c59cJIji4uuy07CxSpcexw zPQx5tJzX/Hm+j0Zd2roGJW5Bev38PUfvtPpZtUTseBDubnuos3K8AK83AlUm2XiZMk9 dRmQ== X-Gm-Message-State: ACgBeo1iWP9MbelEXR6HgN59Qq5pboMnSvmo8YKEYy0fazhcTgRn2KU4 3VAJ6eDNzSQbtQ7uUYHZTw8= X-Google-Smtp-Source: AA6agR7GEuGAmjtIaMKMdcofA4Le1HsDDFqdeaLymzCHhQZikTQzLvmQEYKdKgGbGrY5Paa/80awdQ== X-Received: by 2002:a17:902:820d:b0:175:b31:facd with SMTP id x13-20020a170902820d00b001750b31facdmr5621257pln.67.1661880620510; Tue, 30 Aug 2022 10:30:20 -0700 (PDT) Received: from nathanxps13 ([50.47.162.83]) by smtp.gmail.com with ESMTPSA id d9-20020a655ac9000000b0041c45d76b6bsm1893332pgt.38.2022.08.30.10.30.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Aug 2022 10:30:19 -0700 (PDT) Date: Tue, 30 Aug 2022 10:30:17 -0700 From: Nathan Bossart To: Robert Haas Cc: tushar , Joe Conway , Tom Lane , "Bossart, Nathan" , Stephen Frost , PostgreSQL-development Subject: Re: replacing role-level NOINHERIT with a grant-level option Message-ID: <20220830173017.GB544233@nathanxps13> References: <030c1dbf-5a8e-706d-698c-b1cdfcb6ce0f@enterprisedb.com> <20220828211421.GA213902@nathanxps13> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, Aug 29, 2022 at 03:38:57PM -0400, Robert Haas wrote: > Argh, I found a bug, and one that I should have caught during testing, > too. I modelled the new function select_best_grantor() on > is_admin_of_role(), but it differs in that it calls > roles_is_member_of() with ROLERECURSE_PRIVS rather than > ROLECURSE_MEMBERS. Sadly, roles_is_member_of() handles > ROLERECURSE_PRIVS by completely ignoring non-inherited grants, which > is wrong, because then calls to select_best_grantor() treat a member > of a role with INHERIT FALSE, ADMIN TRUE is if they were not an admin > at all, which is incorrect. I've been staring at this stuff for a while, and I'm still rather confused. * You mention that you modelled the "new" function select_best_grantor() on is_admin_of_role(), but it looks like that function was introduced in 2005. IIUC you meant select_best_admin(), which was added much more recently. * I don't see why we should ignore inheritance until after checking admin option. Prior to your commit (e3ce2de), we skipped checking for admin option if the role had [NO]INHERIT, and AFAICT your commit aimed to retain that behavior. The comment above check_role_grantor() even mentions "inheriting the privileges of a role which does have ADMIN OPTION." Within the function, I see the following comment: * Otherwise, the grantor must either have ADMIN OPTION on the role or * inherit the privileges of a role which does. In the former case, * record the grantor as the current user; in the latter, pick one of * the roles that is "most directly" inherited by the current role * (i.e. fewest "hops"). So, IIUC, the intent is for ADMIN OPTION to apply even if for non-inherited grants, but we still choose to recurse in roles_is_member_of() based on inheritance. This means that you can inherit the ADMIN OPTION to some degree, but if you have membership WITH INHERIT FALSE to a role that has ADMIN OPTION on another role, the current role effectively does not have ADMIN OPTION on the other role. Is this correct? As I'm writing this down, I think it's beginning to make more sense to me, so this might just be a matter of under-caffeination. But perhaps some extra comments or documentation wouldn't be out of the question... -- Nathan Bossart Amazon Web Services: https://aws.amazon.com