Re: [PATCHES] Roles - SET ROLE Updated - Mailing list pgsql-hackers
From | Stephen Frost |
---|---|
Subject | Re: [PATCHES] Roles - SET ROLE Updated |
Date | |
Msg-id | 20050722023855.GM24207@ns.snowman.net Whole thread Raw |
In response to | Re: [PATCHES] Roles - SET ROLE Updated (Tom Lane <tgl@sss.pgh.pa.us>) |
Responses |
Re: [PATCHES] Roles - SET ROLE Updated
|
List | pgsql-hackers |
* Tom Lane (tgl@sss.pgh.pa.us) wrote: > Stephen Frost <sfrost@snowman.net> writes: > > To support having certain roles turned on and certain roles turned off > > would be some additional effort. I think we'd need a list of > > 'ENABLED_ROLES' and then correct recursion based off of that list > > instead of just starting from a single point like we do now. > > That seems fairly ugly and messy though, because it wouldn't readily > translate to the case of SECURITY DEFINER procedures. SECURITY DEFINER is just another level in the stack, one which is above all others. At least, in my thinking anyway. We don't actually need a stack, just need to save off the old user/role list and reinstate it after the SECURITY DEFINER function. > Let's review the bidding. As I presently understand it: [...] That all looks right. > What I would like to do is say that there is exactly one active > authorization identifier at any instant. That means that if you SET > ROLE then you no longer have the privileges attached to SESSION_USER > (except the right to SET ROLE to a different one of his roles). > This is contrary to spec but it seems to be a pretty widely accepted > way of doing things; and it makes SET ROLE effectively equivalent to > the change in privileges associated with entering a SECURITY DEFINER > procedure owned by that role, so there's a much cleaner conceptual > model. I'd rather get away from the idea of only one 'active authorization identifier'. That's rather limiting and I don't really see the point. All that's changing is what seeds the initial list of roles prior to doing the full hierarchical resolution to populate the full list of roles. The original patch used CURRENT_USER or CURRENT_ROLE if it was set. This just adds CURRENT_USER back in at the end if we used CURRENT_ROLE initially. Except in a 'SET ROLE all' case, when we seed with CURRENT_USER, as I had originally. > Furthermore, I still feel that both CURRENT_USER and CURRENT_ROLE should > reflect this single active authorization id. The spec's distinction is > artificial and doesn't gain anything, except the ability to break code > that assumes CURRENT_USER is always meaningful. There is a distinction there though, at least as the SQL spec works, and really there is when you consider that CURRENT_USER is really the SESSION_USER generally. > If we don't do it that way then we have a bunch of API that breaks down: > all of the has_foo_privilege functions stop working, because they don't > have a signature that allows both a user and a role to be passed to > them. It seems like there might be a way to solve this better but I'm not coming up with it yet. > I think we do need to invent the concept of roles (pg_authid entries) > that either do or do not inherit privileges from roles they are members > of. A non-inheriting role can do SET ROLE to gain the privileges of a > role it is a member of, but it does not have those privileges without > SET ROLE. We could drive this off rolcanlogin but it's probably better > to invent an additional flag column in pg_authid (call it rolinherit, > maybe). Users by default would not inherit, which puts us a great deal > closer to the spec's semantics. I really don't care for this idea as an alternative to what the spec calls for. I don't think it puts us much closer to the spec's semantics unless you let a user change pg_authid wrt this and that seems like quite a bad idea. > Thoughts? Sorry if it's not entirely coherent, I've been thinking about this alot over the past couple of hours. I'm going to sleep on it and hopefully write up something better tommorow. Basically my thinking is that in general the 'list of roles current enabled' is what we've currently got already and that works. We're just changing how and what gets added/removed from it. Thanks, Stephen
pgsql-hackers by date: