Re: "paths" between two ROLEs

On 6/13/23 04:17, Dominique Devienne wrote:
> Hi. We emulated a legacy security model (enforced in C/C++ code)
> into "layers" of PostgreSQL ROLEs and GRANTs, thus enforced database-side.
> 
> To troubleshoot and validate that emulation, I'd like to introspect ROLE 
> membership to:
> 
> 1) Output the ROLE "path(s)" between any two ROLEs. Typically between 
> the LOGIN USER and the ROLE that control access to a particular SCHEMA. 
> In our model, there can be several ways the two end-roles are connected, 
> involving a variable number of roles. So it has to be a recursive query.
> 
> 2) target-end ROLEs (controlling access to SCHEMAs, again) follow a 
> naming convention, so they can be identified using a LIKE pattern. 
> Output all target ROLEs (aggregating each "paths" to the source-ROLE in 
> an text[]) a given LOGIN USER has access to.
> 
> I'd appreciate either example SQL for the above; or hints to achieve the 
> above.
> My CTE "foo" is not great, thus reaching out to the community to avoid 
> wasting too much time on this on my own.

This shows the path between roles taken which provides a particular 
privilege for a particular object:

https://github.com/CrunchyData/crunchy_check_access

It might do for you as-is, or at least you can use it as an example.

HTH,

-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com