Thread: Re: Re: Re: Revoke Connect Privilege from Database not working
On Mon, Apr 7, 2025 at 7:27 AM Ing. Marijo Kristo <marijo.kristo@icloud.com> wrote:
Hi,
here is a full reproducer. Also revoking with the granted by clause does not work.#clean initializationpostgres=# create database testdb owner postgres;CREATE DATABASEpostgres=# create user test_admin createrole;CREATE ROLEpostgres=# alter user test_admin with password 'test1234';ALTER ROLEpostgres=# grant connect on database testdb to test_admin with grant option;GRANT#create user and grant connect privilege with test_adminpostgres=# set role test_admin;SETpostgres=> create user test_user password 'testuserpw';CREATE ROLEpostgres=> grant connect on database testdb to test_user;GRANT#generate the failure by granting test_admin superuser privilegespostgres=> reset role;RESETpostgres=# alter user test_admin superuser;ALTER ROLEpostgres=# set role test_admin;SETpostgres=# revoke connect on database testdb from test_user;REVOKEpostgres=# drop user test_user;ERROR: role "test_user" cannot be dropped because some objects depend on itDETAIL: privileges for database testdb#test also with "granted by clause"postgres=# revoke connect on database testdb from test_user granted by "test_admin";REVOKE
On master, confirmed that after this command the privilege:
test_user=c/test_admin (on database testdb) still exists. That seems like a bug. Its at least a POLA violation and I cannot figure out how to read the revoke reference page in a way that explains it.
David J.
# revokescript.psql
create database testdb:v;
create user test_admin:v createrole;
grant connect on database testdb:v to test_admin:v with grant option;
set role test_admin:v;
create user test_user:v password 'testuserpw';
grant connect on database testdb:v to test_user:v;
reset role;
alter user test_admin:v superuser;
set role test_admin:v;
revoke connect on database testdb:v from test_user:v granted by test_admin:v;
\l+ testdb:v
drop user test_user:v;
create user test_admin:v createrole;
grant connect on database testdb:v to test_admin:v with grant option;
set role test_admin:v;
create user test_user:v password 'testuserpw';
grant connect on database testdb:v to test_user:v;
reset role;
alter user test_admin:v superuser;
set role test_admin:v;
revoke connect on database testdb:v from test_user:v granted by test_admin:v;
\l+ testdb:v
drop user test_user:v;
> psql postgres --file revokescript.psql -v v=1
"David G. Johnston" <david.g.johnston@gmail.com> writes:
> On master, confirmed that after this command the privilege:
> test_user=c/test_admin (on database testdb) still exists. That seems like
> a bug. Its at least a POLA violation and I cannot figure out how to read
> the revoke reference page in a way that explains it.
I believe what's going on there is explained by the rule that
"grants and revokes done by a superuser are done as if issued
by the object owner". So here, what would be revoked is
test_user=c/postgres, which isn't the privilege at issue.
Include GRANTED BY in the REVOKE to override the default
choice of grantor.
IIRC, said rule was invented before we had the GRANTED BY
syntax. It probably doesn't make as much sense today,
but I'd be very afraid of breaking peoples' work flows
by changing it.
regards, tom lane
On Mon, Apr 7, 2025 at 9:06 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
"David G. Johnston" <david.g.johnston@gmail.com> writes:
> On master, confirmed that after this command the privilege:
> test_user=c/test_admin (on database testdb) still exists. That seems like
> a bug. Its at least a POLA violation and I cannot figure out how to read
> the revoke reference page in a way that explains it.
I believe what's going on there is explained by the rule that
"grants and revokes done by a superuser are done as if issued
by the object owner". So here, what would be revoked is
test_user=c/postgres, which isn't the privilege at issue.
Include GRANTED BY in the REVOKE to override the default
choice of grantor.
The command in question did include "granted by" which is why this is a bug. The explicit granted by specification is being ignored if the invoking user is a superuser.
revoke connect on database testdb:v
from test_user:v
---------------
granted by test_admin:v;
---^^^^^^^^^
So if we stick with status quo behavior we'd need to write the following because the ignoring part is a POLA violation:
If a superuser chooses to issue a GRANT or REVOKE command, the command is performed as though it were issued by the owner of the affected object, and the granted by clause is ignored.
David J.