Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pCnC7-0005fU-23 for pgsql-hackers@arkaria.postgresql.org; Tue, 03 Jan 2023 19:43:31 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pCnC5-0006Nr-Aq for pgsql-hackers@arkaria.postgresql.org; Tue, 03 Jan 2023 19:43:29 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pCnC4-0006Nh-VZ for pgsql-hackers@lists.postgresql.org; Tue, 03 Jan 2023 19:43:29 +0000 Received: from mail-lj1-x236.google.com ([2a00:1450:4864:20::236]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1pCnC0-00078a-32 for pgsql-hackers@postgresql.org; Tue, 03 Jan 2023 19:43:27 +0000 Received: by mail-lj1-x236.google.com with SMTP id u12so29378785ljj.11 for ; Tue, 03 Jan 2023 11:43:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OtB9AlrbnBe7qudDYVMVpZ+VG/RxXA3fZWUewrHVxA4=; b=JVeRg6cJJPyFFeTXu0kEBQO5UKY40OCCce/AfZ3jgfdk0hIvyqV0za2vehsqnDjeN1 Nxrv2RlI+5Da5ToHc7MUSqIKmu67nUZQavNQXEwk/SHAwZCe4J5wOql5hB5Wp8u1HH8E r8grSyIsqjTzChTxxzgXaIwcbEwzQdkwM/tA315NgF0d/A/BjavDLhdO1Mzvsc/hMt7Z FQ8TkHSlTvMkyaUEQrUNG9uqAV1gPDKHpxj8qw0v8XBGErX65GMNTW8sTcAaTf111rnB KC1hBl0SC7SMJIgW51opE6e3tpc65pirmjd5586yNWKHa3YkNF6ShviKpWNAVitxoq6U ET5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OtB9AlrbnBe7qudDYVMVpZ+VG/RxXA3fZWUewrHVxA4=; b=oMgB+dj63XbaKjS4P0xtXx++NCZbTVQkZjePC6FsZY7mXa2iaQ9eZVvhYlPS7q8NoG FpBhZ7YnzW8BtELln9cGLcqoiDCZ8Ij1P/zB5crDyOg2RN06YcirdGXR8PYs0QW0v4JN olg46USfy8XV5MtXqQHY5wBOMz0l0xhuOPg568+l1C5E9w1iPXguoPUCdQIVDsDd+tJt i0CHYAnRdrc5G2D4HN/u6ekwEgR42ncVHD8F5u8nF8aW2bRr4wx2qmyQMoDCwI3ZIDXA PjySpDz/TV9T+iGDa4OSyPyW99Qaonw4mDvrdIp92prTOQsBSjKctmHauNRVwd7lJ8lW gUYg== X-Gm-Message-State: AFqh2krXeuUB7pd5K5lB8U/5HUg18QovH0+Nu3IKm5jfKxSrhKGhK0dc z81Eebe3Hk8bYuLygLZL5ybeJCemRtE6Z9tFfGg= X-Google-Smtp-Source: AMrXdXvunp7Hc1p7QIPCqwXLHh+ddqn55/wONMK+bXFcTIya33KS6KNxp55wWPWiM0ZyMo0Ltvnz8RRLiBqCw5E4cdk= X-Received: by 2002:a2e:9244:0:b0:27f:d8d8:c1e2 with SMTP id v4-20020a2e9244000000b0027fd8d8c1e2mr794946ljg.309.1672775002198; Tue, 03 Jan 2023 11:43:22 -0800 (PST) MIME-Version: 1.0 References: <20221012205937.GA1548617@nathanxps13> <3e0e07334e2c4990491a8cbdef20dd89993a232a.camel@j-davis.com> <2428449680f732836906cebe9c8bf0998c7e5486.camel@j-davis.com> <20221231061640.GA1435002@rfd.leadboat.com> In-Reply-To: <20221231061640.GA1435002@rfd.leadboat.com> From: Robert Haas Date: Tue, 3 Jan 2023 14:43:10 -0500 Message-ID: Subject: Re: allowing for control over SET ROLE To: Noah Misch Cc: Jeff Davis , Stephen Frost , Nathan Bossart , "pgsql-hackers@postgresql.org" Content-Type: text/plain; charset="UTF-8" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Sat, Dec 31, 2022 at 1:16 AM Noah Misch wrote: > On Thu, Nov 17, 2022 at 04:24:24PM -0800, Jeff Davis wrote: > > On Thu, 2022-11-17 at 16:52 -0500, Robert Haas wrote: > > > But I think the bigger reason is that, in my opinion, this proposal is > > > more generally useful, because it takes no position on why you wish to > > > disallow SET ROLE. You can just disallow it in some cases and allow it in > > > others, and that's fine. > > In this commit 3d14e17, the documentation takes the above "no position". The > implementation does not, in that WITH SET FALSE has undocumented ability to > block ALTER ... OWNER TO, not just SET ROLE. Leaving that undocumented feels > weird to me, but documenting it would take the position that WITH SET FALSE is > relevant to the security objective of preventing object creation like the > example in the original post of this thread. How do you weigh those > documentation trade-offs? In general, I favor trying to make the documentation clearer and more complete. Intentionally leaving things undocumented doesn't seem like the right course of action to me. That said, the pre-existing documentation in this area is so incomplete that it's sometimes hard to figure out where to add new information - and it made no mention of the privileges required for ALTER .. OWNER TO. I didn't immediately know where to add that, so did nothing. Maybe I should have tried harder, though. -- Robert Haas EDB: http://www.enterprisedb.com