my-ship-it commented on PR #1804:
URL: https://github.com/apache/cloudberry/pull/1804#issuecomment-4632142017
> > This PR's permission check looks up the role by name, not by a fixed OID:
> > ```
> > role = get_role_oid("mdb_admin", true); /* look up the role by the
name "mdb_admin" */
> > if (!is_member_of_role(GetUserId(), role))
> > ereport(ERROR, ...);
> > ```
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > This means: members of any role that happens to be named mdb_admin can
manage resource groups. The code doesn't care who created that role or when.
>
> Yep, exactly :) We only care about rolsuper or not, if mdb-admin patch
does not allow to gain superuser priviledge - we consider it safe :)
Thanks for the iterations on this. I agree with the constraint driving the
current design — a
new bootstrap entry in pg_authid.dat bumps CATALOG_VERSION_NO and breaks
minor-version upgrades,
so a runtime lookup is the right shape for the stable branch.
How about Proposal: use a reserved-prefix role name
Rename the role to e.g. pg_manage_resgroup and keep the same runtime
get_role_oid() lookup. The
point is that the pg_ namespace is already reserved for roles:
- CreateRole() rejects any pg_-prefixed name via IsReservedName()
(src/backend/commands/user.c),
so a CREATEROLE user cannot forge it;
- RenameRole() rejects renaming any role to a pg_ name, so it cannot be
smuggled in via ALTER
ROLE ... RENAME either;
One caveat: DROP is not name-protected
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]