Alena0704 commented on PR #1804:
URL: https://github.com/apache/cloudberry/pull/1804#issuecomment-4679647526

   Reworked the patch following the pg_aux commit - moved the mdb_admin role 
into a contrib extension, pg_aux_catalog: it's created via 
pg_create_mdb_admin_role() (fixed OID 8067, superuser-only). Resource-group 
operations are gated on mdb_admin membership, identified by that fixed OID.
   
   Because the role is created at a single fixed OID and only by a superuser, 
it cannot be re-created or taken over by another user - a CREATEROLE user can 
neither establish mdb_admin nor recreate it at that OID:
   
   ```
   postgres=# CREATE ROLE rg_attacker CREATEROLE;
   CREATE ROLE
   postgres=# SET ROLE rg_attacker;
   SET
   postgres=> ALTER ROLE mdb_admin RENAME TO rg_attacker_admin;
   ERROR:  role "mdb_admin" does not exist
   postgres=> ALTER ROLE mdb_admin PASSWORD 'hijack';
   ERROR:  role "mdb_admin" does not exist
   ```
   Tests were moved into the extension as well.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to