Re: Missing warning on revokes with grant options - Mailing list pgsql-hackers

From Joseph Koshakow
Subject Re: Missing warning on revokes with grant options
Date
Msg-id CAAvxfHdB=0vnwbNbNC+drEWUhpM6efHm8=+jRYCpc=nY5FHXew@mail.gmail.com
Whole thread Raw
In response to Re: Missing warning on revokes with grant options  (Joseph Koshakow <koshy44@gmail.com>)
Responses Re: Missing warning on revokes with grant options
List pgsql-hackers
I've been thinking about this some more and reading the SQL99 spec. In
the original thread that added these warnings [0], which was linked
earlier in this thread by Nathan, the following assertion was made:

> After that, you get to the General Rules, which pretty clearly say that
> trying to grant privileges you don't have grant option for is just a
> warning and not an error condition.  (Such privileges will not be in the
> set of "identified privilege descriptors".)
>
> AFAICS the specification for REVOKE is exactly parallel.

I think it is true that for both GRANT and REVOKE, if a privilege was
specified in the statement and a corresponding privilege does not exist
in the identified set then a warning should be issued. However, the
meaning of "identified set" is different between GRANT and REVOKE.

In GRANT the identified set is defined as

    4) A set of privilege descriptors is identified. The privilege descriptors identified are those defining,
    for each <action> explicitly or implicitly in <privileges>, that <action> on O held by A with
    grant option.

Essentially it is all privileges specified in the GRANT statement on O
**where by A is the grantee with a grant option**.

In REVOKE the identified set is defined as

    1) Case:
      a) If the <revoke statement> is a <revoke privileges statement>, then for every <grantee>
         specified, a set of privilege descriptors is identified. A privilege descriptor P is said to be
         identified if it belongs to the set of privilege descriptors that defined, for any <action>
         explicitly or implicitly in <privileges>, that <action> on O, or any of the objects in S, granted
         by A to <grantee>.

Essentially it is all privileges specified in the REVOKE statement on O
**where A is the grantor and the grantee is one of the grantees
specified in the REVOKE statement**.

In fact as far as I can tell, the ability to revoke a privilege does
not directly depend on having a grant option for that privilege, it
only depends on being the grantor of the specified privilege. However,
our code in restrict_and_check_grant doesn't match this. It treats the
rules for GRANTs and REVOKEs the same, in that you need a grant option
to execute either. It's possible that due to the abandoned privilege
rules that it is impossible for a privilege to exist where the grantor
doesn't also have a grant option on that privilege. I haven't read that
part of the spec closely enough.

As a consequence of how the identified set is defined for REVOKE, not
only should a warning be issued in the example from my previous email,
but I think a warning should also be issued even if the grantee has no
privileges on O. For example,

```
test=# SELECT current_role;
 current_role
--------------
 joe
(1 row)

test=# CREATE TABLE t ();
CREATE TABLE
test=# CREATE ROLE r1;
CREATE ROLE
test=# SELECT relacl FROM pg_class WHERE relname = 't';
 relacl
--------
 
(1 row)

test=# REVOKE SELECT ON t FROM r1;
REVOKE
```

Here the identified set for the REVOKE statement is empty. So there is
no corresponding privilege descriptor in the identified set for the
SELECT privilege in the REVOKE statement. So a warning should be
issued. Recall:

    18) If the <revoke statement> is a <revoke privileges statement>, then:
      a) For every combination of <grantee> and <action> on O specified in <privileges>, if there
         is no corresponding privilege descriptor in the set of identified privilege descriptors, then a
         completion condition is raised: warning — privilege not revoked

Essentially the meaning of the warning for REVOKE does not mean "you
tried to revoke a privilege but you don't have a grant option", it
means "you tried to revoke a privilege (where you are the grantor), but
such a privilege does not exist".

Thanks,
Joe Koshakow

[0] https://postgr.es/m/20040511091816.E9887CF519E%40www.postgresql.com

pgsql-hackers by date:

Previous
From: Marina Polyakova
Date:
Subject: Re: Conflict between regression tests namespace & transactions due to recent changes
Next
From: jian he
Date:
Subject: Re: PG 16 draft release notes ready