Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pCpNP-00081r-KB for pgsql-hackers@arkaria.postgresql.org; Tue, 03 Jan 2023 22:03:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pCpNO-0007P0-2N for pgsql-hackers@arkaria.postgresql.org; Tue, 03 Jan 2023 22:03:18 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pCpNN-0007Mj-GI for pgsql-hackers@lists.postgresql.org; Tue, 03 Jan 2023 22:03:17 +0000 Received: from mail-oa1-x34.google.com ([2001:4860:4864:20::34]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1pCpNK-0008Qm-S2 for pgsql-hackers@postgresql.org; Tue, 03 Jan 2023 22:03:16 +0000 Received: by mail-oa1-x34.google.com with SMTP id 586e51a60fabf-150b06cb1aeso8779375fac.11 for ; Tue, 03 Jan 2023 14:03:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leadboat.com; s=google; h=user-agent:in-reply-to:content-disposition:mime-version:references :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=YEieSjynLxe3gDYwdoLqL9iTbJErmH37Eys5PD7rMJw=; b=Lj9CHfgQZEeGmnNcDKhqdAva0nQZq6FMgeSXFRF+T2FCwR0gIZEBUL7rRT9dYCWtY6 TRzNi2lTlchAGAfvjbCGTnrN/lpRiZ0i/MwwPdHW5ArizTCDcxy+8UnPyITxRfUD1yo5 91f0jfxORZo3KHspV8yjlJE/Vzov0fQoGwKXA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=user-agent:in-reply-to:content-disposition:mime-version:references :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YEieSjynLxe3gDYwdoLqL9iTbJErmH37Eys5PD7rMJw=; b=xdwFqM+9ZnWnm2ZkL/+MCZhI0m0U0u7Oe6/9bq9cBiRT51RNT2DYt4i+NwEkcRd06h xrpikBd5BUOVO4W4TiAh0dY2vbT7TfEq7D1sptKIM0ze1bV0XrzfpCQ3MK++sgrfd7Vl JG4jFkjaODt48wWHsnsguaKBjS79qbRY4Qnj/nfLl1DK7LweG6LrhN9eOrvNCbao/Lok wIsouhUn0mJX5CphXEVezqHT1ZfYQeoZ7P9UWEjC9dH89XWW04TafFEvDaHTiqiki/Pq Yf+TD8WqbE1EF2prWHgV2L1etW0RaI5Ogc2arvsuTS69n5XPB4YhlBBfZcFQxUnYT5N/ mReg== X-Gm-Message-State: AFqh2krv8mHABaEmKWNG8cGQvu+BIJOKDOegqbxqK/GAe7WJJs/ANVyj bcrNtwmK9vW3cM/zdM76EDZmHA== X-Google-Smtp-Source: AMrXdXtXVuhsRh1/a470XEfVTYmtm9vPS9whl64aTSxV9nQp5iEQcmmNXyKeKeCs7QEWepMpZziiew== X-Received: by 2002:a05:6870:a1b:b0:150:5fe2:bfb6 with SMTP id bf27-20020a0568700a1b00b001505fe2bfb6mr7392621oac.31.1672783393797; Tue, 03 Jan 2023 14:03:13 -0800 (PST) Received: from rfd.leadboat.com ([2600:1702:a20:5750::2e]) by smtp.gmail.com with ESMTPSA id n1-20020a056870820100b001446a45bb49sm14768932oae.23.2023.01.03.14.03.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Jan 2023 14:03:13 -0800 (PST) Date: Tue, 3 Jan 2023 14:03:11 -0800 From: Noah Misch To: Robert Haas Cc: Jeff Davis , Stephen Frost , Nathan Bossart , "pgsql-hackers@postgresql.org" Subject: Re: allowing for control over SET ROLE Message-ID: <20230103220311.GA1678742@rfd.leadboat.com> References: <20221012205937.GA1548617@nathanxps13> <3e0e07334e2c4990491a8cbdef20dd89993a232a.camel@j-davis.com> <2428449680f732836906cebe9c8bf0998c7e5486.camel@j-davis.com> <20221231061640.GA1435002@rfd.leadboat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Jan 03, 2023 at 02:43:10PM -0500, Robert Haas wrote: > On Sat, Dec 31, 2022 at 1:16 AM Noah Misch wrote: > > On Thu, Nov 17, 2022 at 04:24:24PM -0800, Jeff Davis wrote: > > > On Thu, 2022-11-17 at 16:52 -0500, Robert Haas wrote: > > > > But I think the bigger reason is that, in my opinion, this proposal is > > > > more generally useful, because it takes no position on why you wish to > > > > disallow SET ROLE. You can just disallow it in some cases and allow it in > > > > others, and that's fine. > > > > In this commit 3d14e17, the documentation takes the above "no position". The > > implementation does not, in that WITH SET FALSE has undocumented ability to > > block ALTER ... OWNER TO, not just SET ROLE. Leaving that undocumented feels > > weird to me, but documenting it would take the position that WITH SET FALSE is > > relevant to the security objective of preventing object creation like the > > example in the original post of this thread. How do you weigh those > > documentation trade-offs? > > In general, I favor trying to make the documentation clearer and more > complete. Intentionally leaving things undocumented doesn't seem like > the right course of action to me. For what it's worth, I like to leave many things undocumented, but not this. > That said, the pre-existing > documentation in this area is so incomplete that it's sometimes hard > to figure out where to add new information - and it made no mention of > the privileges required for ALTER .. OWNER TO. I didn't immediately > know where to add that, so did nothing. I'd start with locations where the patch already added documentation. In the absence of documentation otherwise, a reasonable person could think WITH SET controls just SET ROLE. The documentation of WITH SET is a good place to list what else you opted for it to control. If the documentation can explain the set of principles that would be used to decide whether WITH SET should govern another thing in the future, that would provide extra value.