Alena0704 commented on PR #1804: URL: https://github.com/apache/cloudberry/pull/1804#issuecomment-4679647526
Reworked the patch following the pg_aux commit - moved the mdb_admin role into a contrib extension, pg_aux_catalog: it's created via pg_create_mdb_admin_role() (fixed OID 8067, superuser-only). Resource-group operations are gated on mdb_admin membership, identified by that fixed OID. Because the role is created at a single fixed OID and only by a superuser, it cannot be re-created or taken over by another user - a CREATEROLE user can neither establish mdb_admin nor recreate it at that OID: ``` postgres=# CREATE ROLE rg_attacker CREATEROLE; CREATE ROLE postgres=# SET ROLE rg_attacker; SET postgres=> ALTER ROLE mdb_admin RENAME TO rg_attacker_admin; ERROR: role "mdb_admin" does not exist postgres=> ALTER ROLE mdb_admin PASSWORD 'hijack'; ERROR: role "mdb_admin" does not exist ``` Tests were moved into the extension as well. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
