Re: SET ROLE documentation improvement

Поиск
Список
Период
Сортировка
От Nathan Bossart
Тема Re: SET ROLE documentation improvement
Дата
Msg-id 20231110174107.GA1270232@nathanxps13
обсуждение исходный текст
Ответ на Re: SET ROLE documentation improvement  (Yurii Rashkovskii <yrashk@gmail.com>)
Ответы Re: SET ROLE documentation improvement  (Shubham Khanna <khannashubham1197@gmail.com>)
Re: SET ROLE documentation improvement  (Robert Haas <robertmhaas@gmail.com>)
Список pgsql-hackers
Дерево обсуждения 
On Tue, Sep 26, 2023 at 08:33:25AM -0700, Yurii Rashkovskii wrote:
> This is a good start, indeed. I've amended my patch to include it.

Thanks for the new patch.

Looking again, I'm kind of hesitant to add too much qualification to this
note about losing superuser privileges.  If we changed it to

    Note that when a superuser chooses to SET ROLE to a non-superuser role,
    they lose their superuser privileges, except for the privilege to
    change to another role again using SET ROLE or RESET ROLE.

it almost seems to imply that a non-superuser role could obtain the ability
to switch to any role if they first SET ROLE to a superuser.  In practice,
that's true because they could just give the session role SUPERUSER, but I
don't think that's the intent of this section.

I thought about changing it to something like

    Note that when a superuser chooses to SET ROLE to a non-superuser role,
    they lose their superuser privileges.  However, if the current session
    user is a superuser, they retain the ability to set the current user
    identifier to any role via SET ROLE and RESET ROLE.

but it seemed weird to me to single out superusers here when it's always
true that the current session user retains the ability to SET ROLE to any
role they have the SET option on.  That is already covered above in the
"Description" section, so I don't really see the need to belabor the point
by adding qualifications to the "Notes" section.  ISTM the point of these
couple of paragraphs in the "Notes" section is to explain the effects on
privileges for schemas, tables, etc.

I still think we should update the existing note about privileges for
SET/RESET ROLE to something like the following:

diff --git a/doc/src/sgml/ref/set_role.sgml b/doc/src/sgml/ref/set_role.sgml
index 13bad1bf66..c91a95f5af 100644
--- a/doc/src/sgml/ref/set_role.sgml
+++ b/doc/src/sgml/ref/set_role.sgml
@@ -41,8 +41,10 @@ RESET ROLE
   </para>
 
   <para>
-   The specified <replaceable class="parameter">role_name</replaceable>
-   must be a role that the current session user is a member of.
+   The current session user must have the <literal>SET</option> for the
+   specified <replaceable class="parameter">role_name</replaceable>, either
+   directly or indirectly via a chain of memberships with the
+   <literal>SET</literal> option.
    (If the session user is a superuser, any role can be selected.)
   </para>

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Andres Freund
Дата:
Сообщение: Re: AdvanceXLInsertBuffers() vs wal_sync_method=open_datasync
Следующее
От: Nathan Bossart
Дата:
Сообщение: Re: Improvements in pg_dump/pg_restore toc format and performances