Re: Role Self-Administration - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: Role Self-Administration
Date
Msg-id CAOuzzgrtJHSHx8TqixYpzxMrG8m7sntPibTJmPqugHJDhq3nyg@mail.gmail.com
Whole thread Raw
In response to Re: Role Self-Administration  (Mark Dilger <mark.dilger@enterprisedb.com>)
List pgsql-hackers
Greetings,

On Wed, Oct 6, 2021 at 16:01 Mark Dilger <mark.dilger@enterprisedb.com> wrote:
> On Oct 6, 2021, at 11:48 AM, Stephen Frost <sfrost@snowman.net> wrote:
>
> In the spec, under <drop role statement>, there is a 'General Rules'
> section (as there is with most statements) and in that section it says
> that for every authorization identifier (that is, some privilege, be it
> a GRANT of SELECT rights on an object, or GRANT of role membership in
> some role) which references the role being dropped, the command:
>
> REVOKE R FROM A DB
>
> is effectively executed (without further access rule checking).

I think you are saying that "DROP ROLE bob" implies revoking "bob" from anybody who has membership in role bob.  I agree with that entirely, and my proposal does not change that.  (Roles owned by "bob" are not typically members of role "bob" to begin with.)

Yes and no….   Specifically the spec says that “DROP ROLE bob CASCADE” implies revoking memberships that bob is in. The other drop behavior is “RESTRICT”, which, as you might expect, implies throwing an error instead.

> What I'm saying above is that the command explicitly listed there
> *isn't* 'DROP ROLE A DB', even though that is something which the spec
> *could* have done, had they wished to.

Clearly the spec could have said that "DROP ROLE bob" implies "and drop all roles which are members of bob" and did not.  I fullly agree with that decision, and I'm not trying to change it one iota.

I’m not talking about what the spec says for just “DROP ROLE bob”, but rather what the spec says for “DROP ROLE bob CASCADE”. The latest versions add the drop behavior syntax to the end of DROP ROLE and it can be either CASACDE or RESTRICT, and if it’s CASCADE then the rule is to run the REVOKEs that I’ve been talking about.

>  Given that they didn't, it seems
> very clear that making such a change would very much be a deviation and
> violation of the spec. 

Sure, and I'm not proposing any such change.

But.. you are, because what I’ve been talking about has specifically been the spec-defined “CASCADE” case, not bare DROP ROLE. 

> That we invented some behind-the-scenes concept
> of role ownership where we track who actually created what role and then
> use that info to transform a REVOKE into a DROP doesn't make such a
> transformation OK.

I think I understand why you say this.  You seem to be conflating the idea of having privileges on role "bob" to being owned by role "bob".  That's not the case.  Maybe you are not conflating them, but I can't interpret what you are saying otherwise.

I’m talking specifically about what happens when someone runs a DROP ROLE with CASCADE. 

> Consider that with what you're proposing, a user could execute the
> following series of entirely SQL-spec compliant statements, and get
> very different results depending on if we have this 'ownership' concept
> or not:
>
> SET ROLE postgres;
> CREATE ROLE r1;
>
> SET ROLE r1;
> CREATE ROLE r2;
>
> SET ROLE postgres;
> DROP ROLE r1 CASCADE;
>
> With what you're suggesting, the end result would be that r2 no longer
> exists, whereas with the spec-defined behvaior, r2 *would* still exist.

If you try this on postgres 14, you get a syntax error because CASCADE is not supported in the grammar for DROP ROLE:

mark.dilger=# drop role bob cascade;
ERROR:  syntax error at or near "cascade"

I don't know if those statements are "entirely SQL-spec compliant" because I have yet to find a reference to the spec saying what DROP ROLE ... CASCADE is supposed to do.  I found some Vertica docs that say what Vertica does.  I found some Enterprise DB docs about what Advanced Server does (or course, since I work here.)  I don't see much else.

They’re valid commands in the version I’m looking at, though I think actually that this is a pre-release as apparently 2016 is the latest when I thought there was something more recent. I’m not sure if the 2016 version included the CASCADE option for DROP ROLE or not. Even if it’s only a preview, sure looks like this is the direction they’re going in and it seems consistent, at least to me, with other things they’ve done in this area…

You have quoted me parts of the spec about what REVOKE is supposed to do, and I have responded about why I don't see the connection to DROP ROLE...CASCADE.

The bits from REVOKE that I quoted were only at the very start of this thread…. This entire sub thread has only been about the DROP ROLE statement..

Are there any other references to either the spec or how other common databases handle this?

Trying to get some more insight into the version of the spec I’m looking at and if I can figure out a way that you’d be able to see what I’m talking about directly.

Thanks,

Stephen

pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: preserving db/ts/relfilenode OIDs across pg_upgrade (was Re: storing an explicit nonce)
Next
From: Stephen Frost
Date:
Subject: Re: Role Self-Administration