Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pY3Bd-0004li-4T for pgsql-hackers@arkaria.postgresql.org; Fri, 03 Mar 2023 11:02:54 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pY3Bc-0002qO-1S for pgsql-hackers@arkaria.postgresql.org; Fri, 03 Mar 2023 11:02:52 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pY3Av-0004Yy-5X for pgsql-hackers@lists.postgresql.org; Fri, 03 Mar 2023 11:02:09 +0000 Received: from mail.postgrespro.ru ([93.174.131.139]) by makus.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pY3Ap-0004P8-RI for pgsql-hackers@lists.postgresql.org; Fri, 03 Mar 2023 11:02:06 +0000 Received: from [192.168.0.104] (unknown [62.217.188.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail.postgrespro.ru (Postfix) with ESMTPSA id 6F0CE21CD0AF; Fri, 3 Mar 2023 14:01:59 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=postgrespro.ru; s=mail; t=1677841319; bh=Ej4KB/MKcsMLzy0goBisPScsK0OVoR3eZdGCwkTKUpI=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=XimbZSQEC7wltKDQjTIUnUnYA36ovjsfm0K7mBkCgUFagcmatiLDUlTG9grVv396C 3dIFrNjcy+aOr4ucTH2B1bISjpRN5VFX5f1/VX01tOaB4b8pXodYdD94NX+aSZH7+u 6V/Dlb0Q9FYu183tMvP+xBCFRKr+Ec+cbnCMhTAo= Content-Type: multipart/alternative; boundary="------------ZxH6ImbAJQ78FdxLaiMCrUye" Message-ID: <20824093-d94f-e5d6-b611-8cec7fc6e95e@postgrespro.ru> Date: Fri, 3 Mar 2023 14:01:59 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1 Subject: Re: psql: Add role's membership options to the \du+ command To: "David G. Johnston" Cc: David Zhang , "pgsql-hackers@lists.postgresql.org" References: <01620d6b-9efe-b199-b619-8450d865ec83@postgrespro.ru> <94ce7392-fa90-bc1c-4dc2-677161bbff58@postgrespro.ru> Content-Language: en-US From: Pavel Luzanov In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk This is a multi-part message in MIME format. --------------ZxH6ImbAJQ78FdxLaiMCrUye Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hello, On 22.02.2023 00:34, David G. Johnston wrote: > I didn't even know this function existed. But I see that it was > changed in 3d14e171 with updated documentation: > https://www.postgresql.org/docs/devel/functions-info.html#FUNCTIONS-INFO-ACCESS > Maybe that's enough. > > > I think that should probably have ADMIN as one of the options as well. > Also curious what it reports for an empty membership. I've been experimenting for a few days and I want to admit that this is a very difficult and not obvious topic. I'll try to summarize what I think. 1. About ADMIN value for pg_has_role. Implementation of ADMIN value will be different from USAGE and SET. To be True, USAGE value requires the full chain of memberships to have INHERIT option. Similar with SET: the full chain of memberships must have SET option. But for ADMIN, only last member in the chain must have ADMIN option and all previous members must have INHERIT (to administer directly) or SET option (to switch to role, last in the chain). Therefore, it is not obvious to me that the function needs the ADMIN value. 2. pg_has_role function description starts with: Does user have privilege for role?     - This is not exact: function works not only with users, but with NOLOGIN roles too.     - Term "privilege": this term used for ACL columns, such usage may be confusing,       especially after adding INHERIT and SET in addition to ADMIN option. 3. It is possible to grant membership with all three options turned off:     grant a to b with admin false, inherit false, set false; But such membership is completely useless (if i didn't miss something). May be such grants must be prohibited. At least this may be documented in the GRANT command. 4. Since v16 it is possible to grant membership from one role to another several times with different grantors. And only grantor can revoke membership.     - This is not documented anywhere.     - Current behavior of \du command with duplicated roles in "Member of" column strongly confusing.       This is one of the goals of the discussion patch. I think to write about this to pgsql-docs additionally to this topic. -- Pavel Luzanov Postgres Professional:https://postgrespro.com --------------ZxH6ImbAJQ78FdxLaiMCrUye Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit Hello,

On 22.02.2023 00:34, David G. Johnston wrote:
I didn't even know this function existed. But I see that it was changed in 3d14e171 with updated documentation:

I think that should probably have ADMIN as one of the options as well.  Also curious what it reports for an empty membership.

I've been experimenting for a few days and I want to admit that this is a very difficult and not obvious topic.
I'll try to summarize what I think.

1.
About ADMIN value for pg_has_role.
Implementation of ADMIN value will be different from USAGE and SET.
To be True, USAGE value requires the full chain of memberships to have INHERIT option.
Similar with SET: the full chain of memberships must have SET option.
But for ADMIN, only last member in the chain must have ADMIN option and all previous members
must have INHERIT (to administer directly) or SET option (to switch to role, last in the chain).
Therefore, it is not obvious to me that the function needs the ADMIN value.

2.
pg_has_role function description starts with: Does user have privilege for role?
    - This is not exact: function works not only with users, but with NOLOGIN roles too.
    - Term "privilege": this term used for ACL columns, such usage may be confusing,
      especially after adding INHERIT and SET in addition to ADMIN option.

    
3.
It is possible to grant membership with all three options turned off:
    grant a to b with admin false, inherit false, set false;

But such membership is completely useless (if i didn't miss something).
May be such grants must be prohibited. At least this may be documented in the GRANT command.


4.
Since v16 it is possible to grant membership from one role to another several times with different grantors.
And only grantor can revoke membership.

    - This is not documented anywhere.
    - Current behavior of \du command with duplicated roles in "Member of" column strongly confusing.
      This is one of the goals of the discussion patch.

    
I think to write about this to pgsql-docs additionally to this topic.
-- 
Pavel Luzanov
Postgres Professional: https://postgrespro.com
--------------ZxH6ImbAJQ78FdxLaiMCrUye--