Re: CREATEROLE and role ownership hierarchies - Mailing list pgsql-hackers

From Andrew Dunstan
Subject Re: CREATEROLE and role ownership hierarchies
Date
Msg-id ff697cc0-d269-4ea4-2bff-2574355a3b29@dunslane.net
Whole thread Raw
In response to Re: CREATEROLE and role ownership hierarchies  (Mark Dilger <mark.dilger@enterprisedb.com>)
Responses Re: CREATEROLE and role ownership hierarchies
List pgsql-hackers
On 1/31/22 12:18, Mark Dilger wrote:
>
>> On Jan 31, 2022, at 12:43 AM, Michael Banck <michael.banck@credativ.de> wrote:
>> Ok, sure. I think this topic is hugely important and as I read the
>> patch anyway, I added some comments, but yeah, we need to figure out
>> the fundamentals first.
> Right.
>
> Perhaps some background on this patch series will help.  The patch versions before v8 were creating an owner-owned
relationshipbetween the creator and the createe, and a lot of privileges were dependent on that ownership.  Stephen
objectedthat we were creating parallel tracks on which the privilege system was running; things like belonging to a
roleor having admin on a role were partially conflated with owning a role.  He also objected that the pre-v8 patch sets
alloweda creator role with the CREATEROLE privilege to give away any privilege the creator had, rather than needing to
haveGRANT or ADMIN option on the privilege being given.
 
>
> The v8-WIP patch is not a complete replacement for the pre-v8 patches.  It's just a balloon I'm floating to try out
candidatesolutions to some of Stephen's objections.  In the long run, I want the solution to Stephen's objections to
notcreate problems for anybody who liked the way the pre-v8 patches worked (Robert, Andrew, and to some extent me.)
 
>
> In this WIP patch, for a creator to give *anything* away to a createe, the creator must have GRANT or ADMIN on the
thingbeing given.  That includes attributes like BYPASSRLS, CREATEDB, LOGIN, etc., and also ADMIN on any role the
createeis granted into.
 
>
> I tried to structure things for backwards compatibility, considering which things roles with CREATEROLE could give
awayhistorically.  It turns out they can give away most everything, but not SUPERUSER, BYPASSRLS, or REPLICATION.  So I
structuredthe default privileges for CREATEROLE to match.  But I'm uncertain that design is any good, and your comments
belowsuggest that you find it pretty hard to use.
 
>
> Part of the problem with trying to be backwards compatible is that we must break compatibility anyway, to address the
problemthat historically having CREATEROLE meant you effectively had ADMIN on all non-superuser roles.  That's got to
change. So in part I'm asking pgsql-hackers if partial backwards compatibility is worth the bother.
 
>
> If we don't go with backwards compatibility, then CREATEROLE would only allow you to create a new role, but not to
givethat role LOGIN, nor CREATEDB, etc.  You'd need to also have admin option on those things.  To create a role that
cangive those things away, you'd need to run something like:
 
>
> CREATE ROLE michael
>     CREATEROLE WITH ADMIN OPTION    -- can further give away "createrole"
>     CREATEDB WITH ADMIN OPTION    -- can further give away "createdb"
>     LOGIN WITH ADMIN OPTION    -- can further give away "login"
>     NOREPLICATION WITHOUT ADMIN OPTION    -- this would be implied anyway
>     NOBYPASSRLS WITHOUT ADMIN OPTION    -- this would be implied anyway
>     CONNECTION LIMIT WITH ADMIN OPTION    -- can specify connection limits
>     PASSWORD WITH ADMIN OPTION    -- can specify passwords
>     VALID UNTIL WITH ADMIN OPTION    -- can specify expiration
>
> (I'm on the fence about the phrase "WITH ADMIN OPTION" vs. the phrase "WITH GRANT OPTION".)
>
> Even then, when "michael" creates new roles, if he wants to be able to further administer those roles, he needs to
rememberto give himself ADMIN membership in that role at creation time.  After the role is created, if he doesn't have
ADMIN,he can't give it to himself.  So, at create time, he needs to remember to do this:
 
>
> SET ROLE michael;
> CREATE ROLE mark ADMIN michael;
>
> But that's still a bit strange, because "ADMIN michael" means that michael can grant other roles membership in
"mark",not that michael can, for example, change mark's password.  If we don't want CREATEROLE to imply that you can
messaround with arbitrary roles (rather than only roles that you created or have been transferred control over) then we
needthe concept of role ownership.  This patch doesn't go that far, so for now, only superusers can do those things.
Assumingsome form of this patch is acceptable, the v9 series will resurrect some of the pre-v7 logic for role ownership
andsay that the owner can do those things.
 
>

This seems complicated. Maybe the previous proposal was too simple, but
simplicity has some virtues. It seemed to me that more complex rules
could possibly have been implemented for those who really needed them by
using SECURITY DEFINER functions. The whole 'NOFOO WITH ADMIN OPTION'
thing seems to me a bit like a POLA violation. Nevertheless I can
probably live with it as long as it's *really* well documented. Even so
I suspect it would be too complex for many, and they will just continue
to use superusers to create and manage roles if possible.


cheers


andrew

--
Andrew Dunstan
EDB: https://www.enterprisedb.com




pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: Add checkpoint and redo LSN to LogCheckpointEnd log message
Next
From: Tom Lane
Date:
Subject: psql tab completion versus Debian's libedit