-
Notifications
You must be signed in to change notification settings - Fork 459
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sql: Update role membership for PostgreSQL v16 #18780
Conversation
7fa1e56
to
60d76d6
Compare
60d76d6
to
feabcba
Compare
Previously, role membership was modeled after the implementation of role membership in PostgreSQL v15. Specifically the grantor was set as the role ID of the session executing the `GRANT` statement. However, PostgreSQL v16, which has not been released yet as of this commit, updated role membership to be more consistent with the SQL standard and with object privileges. Specifically the grantor could only be set to someone with ADMIN OPTION on the role being granted or the bootstrap superuser. This commit set's the grantor of all role membership to the mz_system role. We haven't implemented ADMIN OPTION yet, and the 'mz_system' role is our version of the bootstrap superuser. The PostgreSQL commit that made this change can be found here: postgres/postgres@ce6b672 Part of MaterializeInc#11579
feabcba
to
95116e7
Compare
// equivalent of the bootstrap superuser. Therefore the grantor is always 'mz_system'. | ||
// For more details see: | ||
// https://github.com/postgres/postgres/blob/064eb89e83ea0f59426c92906329f1e6c423dfa4/src/backend/commands/user.c#L2180-L2238 | ||
let grantor_id = scx |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this make the audit log useless for looking up which human typed grant or revoke? If so, we should delay this PR until ADMIN OPTION is implemented somehow. Can ADMIN OPTION be implied for superusers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this make the audit log useless for looking up which human typed grant or revoke?
Pretty much yes.
If so, we should delay this PR until ADMIN OPTION is implemented somehow.
Even when ADMIN OPTION
is implemented, the grantor role does not always reflect the role that executed the GRANT
statement. It reflects the role chosen as the best grantor.
Can ADMIN OPTION be implied for superusers.
Yes in the sense that superusers can always execute GRANT
. No in the sense that the superuser will not be chosen as the grantor unless they have ADMIN OPTION
explicitly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe the audit log entry should contain an additional field of something like "session role membership".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the audit log to also contain the role of the session that execute the command.
If you're curious the pg mailing thread that discusses this change can be found here: https://www.postgresql.org/message-id/flat/1102925.1654199458%40sss.pgh.pa.us#505bfe4947d7a86ee07d5fdad85f34d1
It's very long and mostly irrelevant to this change (I haven't finished reading the whole thing yet). Scroll down to where the email subject changes from "CREATEROLE and role ownership hierarchies" to "pg_auth_members.grantor is bunk" for the relevant emails.
Co-authored-by: Matt Jibson <matt.jibson@gmail.com>
…ize into role-member-grantor-fix
…e-member-grantor-fix # Conflicts: # src/adapter/src/catalog/storage.rs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is our guidance on compatibility with Postgres? Should it always be with the latest version, if that is a breaking change?
In general we try and target the most recent version of PostgreSQL, though I'm not sure if that's written down anywhere. For breaking changes we can address them on a case-by-case basis. However, PostgreSQL is also reluctant to make breaking changes, so if they're making the change then it's probably an important change. |
…e-member-grantor-fix # Conflicts: # src/adapter/src/catalog/storage.rs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't read the postgres thread to understand their reasoning, but I trust them. The executed_by
fields in the audit log seem good. Question: if the grantor fields were bunk before this change, are the executed_by
fields also bunk?
I haven't read every single message, but my understanding of "bunk" in this context is that it means:
None of these really apply to |
Previously, role membership was modeled after the implementation of role membership in PostgreSQL v15. Specifically the grantor was set as the role ID of the session executing the
GRANT
statement. However, PostgreSQL v16, which has not been released yet as of this commit, updated role membership to be more consistent with the SQL standard and with object privileges. Specifically the grantor could only be set to someone with ADMIN OPTION on the role being granted or the bootstrap superuser.This commit set's the grantor of all role membership to the mz_system role. We haven't implemented ADMIN OPTION yet, and the 'mz_system' role is our version of the bootstrap superuser.
The PostgreSQL commit that made this change can be found here: postgres/postgres@ce6b672
Part of #11579
Motivation
Tips for reviewer
Checklist
$T ⇔ Proto$T
mapping (possibly in a backwards-incompatible way) and therefore is tagged with aT-proto
label.