sql: Update role membership for PostgreSQL v16 #18780
Conversation
jkosh44
force-pushed
the
role-member-grantor-fix
branch
from
7fa1e56
to
60d76d6
Compare
jkosh44
force-pushed
the
role-member-grantor-fix
branch
from
60d76d6
to
feabcba
Compare
Previously, role membership was modeled after the implementation of role membership in PostgreSQL v15. Specifically the grantor was set as the role ID of the session executing the `GRANT` statement. However, PostgreSQL v16, which has not been released yet as of this commit, updated role membership to be more consistent with the SQL standard and with object privileges. Specifically the grantor could only be set to someone with ADMIN OPTION on the role being granted or the bootstrap superuser. This commit set's the grantor of all role membership to the mz_system role. We haven't implemented ADMIN OPTION yet, and the 'mz_system' role is our version of the bootstrap superuser. The PostgreSQL commit that made this change can be found here: postgres/postgres@ce6b672 Part of MaterializeInc#11579
jkosh44
force-pushed
the
role-member-grantor-fix
branch
from
feabcba
to
95116e7
Compare
| // equivalent of the bootstrap superuser. Therefore the grantor is always 'mz_system'. | ||
| // For more details see: | ||
| // https://github.com/postgres/postgres/blob/064eb89e83ea0f59426c92906329f1e6c423dfa4/src/backend/commands/user.c#L2180-L2238 | ||
| let grantor_id = scx |
There was a problem hiding this comment.
Will this make the audit log useless for looking up which human typed grant or revoke? If so, we should delay this PR until ADMIN OPTION is implemented somehow. Can ADMIN OPTION be implied for superusers?
There was a problem hiding this comment.
Will this make the audit log useless for looking up which human typed grant or revoke?
Pretty much yes.
If so, we should delay this PR until ADMIN OPTION is implemented somehow.
Even when ADMIN OPTION is implemented, the grantor role does not always reflect the role that executed the GRANT statement. It reflects the role chosen as the best grantor.
Can ADMIN OPTION be implied for superusers.
Yes in the sense that superusers can always execute GRANT. No in the sense that the superuser will not be chosen as the grantor unless they have ADMIN OPTION explicitly.
There was a problem hiding this comment.
Maybe the audit log entry should contain an additional field of something like "session role membership".
There was a problem hiding this comment.
I updated the audit log to also contain the role of the session that execute the command.
If you're curious the pg mailing thread that discusses this change can be found here: https://www.postgresql.org/message-id/flat/1102925.1654199458%40sss.pgh.pa.us#505bfe4947d7a86ee07d5fdad85f34d1
It's very long and mostly irrelevant to this change (I haven't finished reading the whole thing yet). Scroll down to where the email subject changes from "CREATEROLE and role ownership hierarchies" to "pg_auth_members.grantor is bunk" for the relevant emails.
Co-authored-by: Matt Jibson <matt.jibson@gmail.com>
…ize into role-member-grantor-fix
…e-member-grantor-fix # Conflicts: # src/adapter/src/catalog/storage.rs
In general we try and target the most recent version of PostgreSQL, though I'm not sure if that's written down anywhere. For breaking changes we can address them on a case-by-case basis. However, PostgreSQL is also reluctant to make breaking changes, so if they're making the change then it's probably an important change. |
…e-member-grantor-fix # Conflicts: # src/adapter/src/catalog/storage.rs
I haven't read every single message, but my understanding of "bunk" in this context is that it means:
None of these really apply to |
Previously, role membership was modeled after the implementation of role membership in PostgreSQL v15. Specifically the grantor was set as the role ID of the session executing the
GRANTstatement. However, PostgreSQL v16, which has not been released yet as of this commit, updated role membership to be more consistent with the SQL standard and with object privileges. Specifically the grantor could only be set to someone with ADMIN OPTION on the role being granted or the bootstrap superuser.This commit set's the grantor of all role membership to the mz_system role. We haven't implemented ADMIN OPTION yet, and the 'mz_system' role is our version of the bootstrap superuser.
The PostgreSQL commit that made this change can be found here: postgres/postgres@ce6b672
Part of #11579
Motivation
Tips for reviewer
Checklist
$T ⇔ Proto$Tmapping (possibly in a backwards-incompatible way) and therefore is tagged with aT-protolabel.