Thread: Permissions not removed when group dropped

Permissions not removed when group dropped

From
"Harris, Richard"
Date:
Hi,

I'm using PostgreSQL 8.0. I created a group called grpA and granted grpA
'SELECT' permission on view viewA. When I dropped grpA and created group
grpB, group grpB 'automatically' has SELECT permission to viewA. After
dropping a group with permission to a view, I see that the permission
stored in the relacl field fo pg_class is changed from the group name to
the sysid of the dropped group. When a new group is created, it gets a
sysid that is one greater than the largest of the sysid (e.g., the sysid
of the last group dropped).  Thus the new group may 'inherit' the
permissions of a dropped group.

I have not found this behavior documented any where. Is this behavior
intended? What do I need to do so that when I drop a group all the
permissions of the group are also 'dropped' (i.e., cleared from the
relacl field)?

Thanks for you help.

Rich Harris

Re: Permissions not removed when group dropped

From
Alvaro Herrera
Date:
On Fri, May 13, 2005 at 03:43:54PM -0500, Harris, Richard wrote:

Hi,

> I'm using PostgreSQL 8.0. I created a group called grpA and granted grpA
> 'SELECT' permission on view viewA. When I dropped grpA and created group
> grpB, group grpB 'automatically' has SELECT permission to viewA. After
> dropping a group with permission to a view, I see that the permission
> stored in the relacl field fo pg_class is changed from the group name to
> the sysid of the dropped group. When a new group is created, it gets a
> sysid that is one greater than the largest of the sysid (e.g., the sysid
> of the last group dropped).  Thus the new group may 'inherit' the
> permissions of a dropped group.
>
> I have not found this behavior documented any where. Is this behavior
> intended? What do I need to do so that when I drop a group all the
> permissions of the group are also 'dropped' (i.e., cleared from the
> relacl field)?

This is a known limitation.  You have to remove the group from all ACLs
before dropping the group; OTOH you can specify a SYSID when creating a
group.

We are working on it, and hopefully in 8.1 you will be told where the
user/group is referenced if you try to drop it.  Automatically deleting
the references from all ACLs has not been discussed but it's a possible
outcome of the implementation.

--
Alvaro Herrera (<alvherre[a]surnet.cl>)
"And as an added bonus, now my computer goes to the toilet for me, leaving me
free to spend time on more useful activities! yay slug codefests!" (C. Parker)

Re: Permissions not removed when group dropped

From
Tom Lane
Date:
Alvaro Herrera <alvherre@surnet.cl> writes:
> We are working on it, and hopefully in 8.1 you will be told where the
> user/group is referenced if you try to drop it.  Automatically deleting
> the references from all ACLs has not been discussed but it's a possible
> outcome of the implementation.

[ raised eyebrow... ]  You expect to be able to tell anything about the
internals of a different database?  Much less do anything to it?

            regards, tom lane

Re: Permissions not removed when group dropped

From
Alvaro Herrera
Date:
On Fri, May 13, 2005 at 10:48:13PM -0400, Tom Lane wrote:
> Alvaro Herrera <alvherre@surnet.cl> writes:
> > We are working on it, and hopefully in 8.1 you will be told where the
> > user/group is referenced if you try to drop it.  Automatically deleting
> > the references from all ACLs has not been discussed but it's a possible
> > outcome of the implementation.
>
> [ raised eyebrow... ]  You expect to be able to tell anything about the
> internals of a different database?  Much less do anything to it?

No, that's why I haven't mentioned it :-)  I know I can't do anything
about objects in other databases.  But I have wondered if we could
implement CASCADE behavior for an object whose dependencies are only
local to the current database (where CASCADE actually mean delete
references in ACLs, and reject the action altogether if there is an
ownership reference.  And of course, if the object is a tablespace,
reject as well.)

--
Alvaro Herrera (<alvherre[a]surnet.cl>)
"La persona que no quería pecar / estaba obligada a sentarse
 en duras y empinadas sillas    / desprovistas, por cierto
 de blandos atenuantes"                          (Patricio Vogel)

Re: Permissions not removed when group dropped

From
Tom Lane
Date:
Alvaro Herrera <alvherre@surnet.cl> writes:
> No, that's why I haven't mentioned it :-)  I know I can't do anything
> about objects in other databases.  But I have wondered if we could
> implement CASCADE behavior for an object whose dependencies are only
> local to the current database (where CASCADE actually mean delete
> references in ACLs, and reject the action altogether if there is an
> ownership reference.  And of course, if the object is a tablespace,
> reject as well.)

Well, I think ACL references could be auto-dropped (ie, even in RESTRICT
mode); and group memberships too.  It seems to me that those do not
amount to independent objects that need protection.  What I'd like
CASCADE to mean is "drop owned objects".

I agree it makes sense to restrict the owned database and owned
tablespace cases even in CASCADE mode, although that's more of a
judgement call than a necessary conclusion.

So what we've got is:

1. Reject if any references to user from within other databases
(implementation restriction).

2. Reject if user owns any databases or tablespaces (safety feature).

3. If CASCADE mode, drop any owned objects within the current database;
if RESTRICT mode, reject if there are owned objects within the current
database.

4. Auto-drop any remaining references (ACLs and group memberships).

5. Drop the user itself.

The main problem I see with this is that if you do have a user you want
to get rid of who owns objects in multiple databases, it's still mighty
hard to do it.  It'd be nice to have some kind of command that either
drops or reassigns ownership of everything the user has in the current
database.  Then you could use that repeatedly until you'd reached a
point where DROP USER would work.

            regards, tom lane