Postgres Pro
Downloads
Home   >   mailing lists

Re: New SET privilege for pg_has_role() in v16+ - Mailing list pgsql-general

From Adrian Klaver
Subject Re: New SET privilege for pg_has_role() in v16+
Date
Msg-id ab446f99-0bf3-4ff1-b118-02625aa9d4a2@aklaver.com
Whole thread Raw
In response to New SET privilege for pg_has_role() in v16+  (Dominique Devienne <ddevienne@gmail.com>)
Responses Re: New SET privilege for pg_has_role() in v16+
List pgsql-general
Tree view 
On 1/2/24 07:24, Dominique Devienne wrote:
> Hi. And happy new year (for those using the Gregorian calendar).
> 
> pg_has_role() from 
> https://www.postgresql.org/docs/current/functions-info.html 
> <https://www.postgresql.org/docs/current/functions-info.html>
> added the 'SET' privilege in v16, and on top of the existing 'MEMBER' 
> and 'USAGE' ones:
> 
>  > MEMBER denotes direct or indirect membership in the role [...]
>  > USAGE denotes whether the privileges of the role are immediately 
> available without doing SET ROLE
>  > SET denotes whether it is possible to change to the role using the 
> SET ROLE command
> 
> I'd like to know if possible why SET was added; the rationale for it.
> Does it not imply that MEMBER and USAGE weren't enough somehow before?
> 
> If `pg_has_role(..., 'MEMBER')` is true, isn't `pg_has_role(..., 'SET')` 
> implied?
> If not, why? (and is that related to NOT INHERIT roles in the graph 
> between the two roles?)
> 
> Asked differently I guess, when does being a MEMBER of a role (directly 
> or not),
> NOT allow SET ROLE to that role?


https://www.postgresql.org/docs/current/sql-set-role.html

"Using this command, it is possible to either add privileges or restrict 
one's privileges. If the session user role has been granted memberships 
WITH INHERIT TRUE, it automatically has all the privileges of every such 
role. In this case, SET ROLE effectively drops all the privileges except 
for those which the target role directly possesses or inherits. On the 
other hand, if the session user role has been granted memberships WITH 
INHERIT FALSE, the privileges of the granted roles can't be accessed by 
default. However, if the role was granted WITH SET TRUE, the session 
user can use SET ROLE to drop the privileges assigned directly to the 
session user and instead acquire the privileges available to the named 
role. If the role was granted WITH INHERIT FALSE, SET FALSE then the 
privileges of that role cannot be exercised either with or without SET 
ROLE."


> 
> We use ROLEs extensively in our PostgreSQL-based apps,
> and I've read a lot about them, but at times I feel I'm missing something.
> 
> Thanks, --DD

-- 
Adrian Klaver
adrian.klaver@aklaver.com

pgsql-general by date:

Previous
From: Adrian Klaver
Date:
Subject: Re: Import csv to temp table
Next
From: "David G. Johnston"
Date:
Subject: Re: New SET privilege for pg_has_role() in v16+