Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qe9SA-005uRA-Gp for pgsql-hackers@arkaria.postgresql.org; Thu, 07 Sep 2023 07:29:26 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qe9S9-00GOjg-6N for pgsql-hackers@arkaria.postgresql.org; Thu, 07 Sep 2023 07:29:24 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qe9S8-00GOjO-Q9 for pgsql-hackers@lists.postgresql.org; Thu, 07 Sep 2023 07:29:24 +0000 Received: from mail-pj1-x102d.google.com ([2607:f8b0:4864:20::102d]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qe9S5-003Csp-5G for pgsql-hackers@postgresql.org; Thu, 07 Sep 2023 07:29:23 +0000 Received: by mail-pj1-x102d.google.com with SMTP id 98e67ed59e1d1-26d1a17ce06so484429a91.0 for ; Thu, 07 Sep 2023 00:29:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1694071760; x=1694676560; darn=postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=1LYK263oqTfELDrrNkV+6pzmLpkhCsu2Pxtuv+uiAaY=; b=Hzleu/Wf0GZyKafZVwgw3zmVcLi655/lnabc3iZBsndiKkAvrpVGvQaInhRVEb894I +a18ezPKxWt/wfTlJl+0EIklr4RSaY1BzMEJWNsrg6iSk9TFJV+xFq3TUQzsnr9I2VAh voFGXtveh2WTa127j42y/3AwjFbIvL0lqHhJWETkNX/IgnC3nILslT8TYn9JT+xNICjv Cf0kOUWwwJCVB+cZgS6etdX+Rgd9OKcVW652Zp+7bSRu8FQ/G8yavWifm9QdsPJN9O5q D1hQqcw9d+EZ4z9wYF2kLFISmBAsK+/8hfH1ZEiLgXH4gfCIClcp6hw2zJPJADA9J3Et AnmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1694071760; x=1694676560; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1LYK263oqTfELDrrNkV+6pzmLpkhCsu2Pxtuv+uiAaY=; b=XOTB6jKNexTizWUpheevXhLU0AQEVnVdClns3enoky8NQ77cFm210o6OCpl54d4cly cjaYuwAXVJ6fYnxEX7cRa6u5c+nFRR9tZAVU1Z29lGEYsDTbOuQ7LvJH7W9ynpMXkeCy SYi095CnT1tvMPcIDGLY6hzImGJ3Bm/nLRH8PqB1qgQYNZpxKJFK2KqxDCsnHrMS5AXD BxEg7OiviTNmKc94fKR/ln6yHOc2mGGlF735IybYcbRGyM8Xd/9Wu6kA4h5HYd6+UzN7 D6BExRx3Vd48QpFEqU5wlM8EqDavfa9+k2ttU6D4PWfEw9+rkxq3CbuGtPgg885Q9Qn4 D9zA== X-Gm-Message-State: AOJu0YywqdACq2DbulgaHc9NBA/D57FpUHx1VUCNyTEk7tPQ7N4KaF6w A61hxdfm7XtnuYBPFqaqqXNECPg0WwznFeLT71I= X-Google-Smtp-Source: AGHT+IHYadBlGBwBWAcyxbyDO1mX7c6iA2jy48+ocQ4VBampk9aIskWGYby7wZOq4glUCfzg8ABQtXc9MnPGLWdtso4= X-Received: by 2002:a17:90a:e2d4:b0:26d:49c8:78aa with SMTP id fr20-20020a17090ae2d400b0026d49c878aamr16451885pjb.32.1694071760042; Thu, 07 Sep 2023 00:29:20 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ashutosh Sharma Date: Thu, 7 Sep 2023 12:59:09 +0530 Message-ID: Subject: Re: Can a role have indirect ADMIN OPTION on another role? To: Robert Haas Cc: pgsql-hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, Sep 7, 2023 at 12:20=E2=80=AFAM Robert Haas = wrote: > > On Wed, Sep 6, 2023 at 1:33=E2=80=AFPM Ashutosh Sharma wrote: > > Actually I have one more question. With this new design, assuming that > > createrole_self_grant is set to 'set, inherit' in postgresql.conf and > > if roleA creates roleB. So, in this case, roleA will inherit > > permissions of roleB which means roleA will have access to objects > > owned by roleB. But what if roleB doesn't want to give roleA access to > > the certain objects it owns. As an example let's say that roleB > > creates a table 't' and by default (with this setting) roleA will have > > access to this table, but for some reason roleB does not want roleA to > > have access to it. So what's the option for roleB? I've tried running > > "revoke select on table t from roleA" but that doesn't seem to be > > working. the only option that works is roleA himself set inherit > > option on roleB to false - "grant roleB to roleA with inherit false;" > > It doesn't matter what roleB wants. roleA is strictly more powerful > than roleB and can do whatever they want to roleB or roleB's objects > regardless of how roleB feels about it. > > In the same way, the superuser is strictly more powerful than either > roleA or roleB and can override any security control that either one > of them put in place. > > Neither roleB nor roleA has any right to hide their data from the > superuser, and roleB has no right to hide data from roleA. It's a > hierarchy. If you're on top, you're in charge, and that's it. > > Here again, it can't really meaningfully work in any other way. > Suppose you were to add a feature to allow roleB to hide data from > roleA. Given that roleA has the ability to change roleB's password, > how could that possibly work? When you give one user the ability to > administer another user, that includes the right to change that user's > password, change whether they can log in, drop the role, give the > privileges of that role to themselves or other users, and a whole > bunch of other super-powerful stuff. You can't really give someone > that level of power over another account and, at the same time, expect > the account being administered to be able to keep the more powerful > account from doing stuff. It just can't possibly work. If you want > roleB to be able to resist roleA, you have to give roleA less power. > I agree with you. thank you once again. -- With Regards, Ashutosh Sharma.