-
Notifications
You must be signed in to change notification settings - Fork 459
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sql: Ensure role member grantor is always valid #18781
Conversation
Previously, role membership was modeled after the implementation of role membership in PostgreSQL v15. Specifically the grantor was set as the role ID of the session executing the `GRANT` statement. However, PostgreSQL v16, which has not been released yet as of this commit, updated role membership to be more consistent with the SQL standard and with object privileges. Specifically the grantor could only be set to someone with ADMIN OPTION on the role being granted or the bootstrap superuser. This commit set's the grantor of all role membership to the mz_system role. We haven't implemented ADMIN OPTION yet, and the 'mz_system' role is our version of the bootstrap superuser. The PostgreSQL commit that made this change can be found here: postgres/postgres@ce6b672 Part of MaterializeInc#11579
Previously, role membership was modeled after the implementation of role membership in PostgreSQL v15. Specifically the grantor was set as the role ID of the session executing the `GRANT` statement. However, PostgreSQL v16, which has not been released yet as of this commit, updated role membership to be more consistent with the SQL standard and with object privileges. Specifically the grantor could only be set to someone with ADMIN OPTION on the role being granted or the bootstrap superuser. This commit set's the grantor of all role membership to the mz_system role. We haven't implemented ADMIN OPTION yet, and the 'mz_system' role is our version of the bootstrap superuser. The PostgreSQL commit that made this change can be found here: postgres/postgres@ce6b672 Part of MaterializeInc#11579
This commit prevents dropping a role, if that role is a grantor fo some other role membership. This helps ensure that the grantor references in the catalog always remain valid. As of this commit, the only valid grantor is mz_system which is impossible to delete. So it's impossible to hit this error scenario. However, this is more future-proof for when we implement ADMIN OPTION and allow other grantors. This is based off of the equivalent commit in PostgreSQL here: postgres/postgres@6566133 That commit will be part of PostgreSQL v16 and was not included in v15. Part of MaterializeInc#11579
3b0424f
to
409e0f4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Last commit LGTM. Probably gotta wait until we decide about the others though.
for role in scx.catalog.get_roles() { | ||
for (member_id, grantor_id) in role.membership() { | ||
if &id == grantor_id { | ||
let member_role = scx.catalog.get_role(member_id); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a SLT test for the block starting here? It seems to be uncovered currently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not possible right now. The only valid role that can be a grantor is mz_system
which can't be dropped. This is mostly a sanity check as well as future proofing for when we add ADMIN OPTION
, which will allow other grantors that aren't mz_system
.
…gling-grantors # Conflicts: # src/adapter/src/catalog.rs # src/adapter/src/catalog/storage.rs # src/audit-log/src/lib.rs # src/sql/src/plan.rs
This commit prevents dropping a role, if that role is a grantor for some other role membership. This helps ensure that the grantor references in the catalog always remain valid. As of this commit, the only valid grantor is mz_system which is impossible to delete. So it's impossible to hit this error scenario. However, this is more future-proof for when we implement ADMIN OPTION and allow other grantors. This is based off of the equivalent commit in PostgreSQL here: postgres/postgres@6566133 That commit will be part of PostgreSQL v16 and was not included in v15. Part of MaterializeInc#11579
This commit prevents dropping a role, if that role is a grantor fo some
other role membership. This helps ensure that the grantor references in
the catalog always remain valid.
As of this commit, the only valid grantor is mz_system which is
impossible to delete. So it's impossible to hit this error scenario.
However, this is more future-proof for when we implement ADMIN OPTION
and allow other grantors.
This is based off of the equivalent commit in PostgreSQL here:
postgres/postgres@6566133
That commit will be part of PostgreSQL v16 and was not included in v15.
Part of #11579
Tips for Reviewer
Motivation
This PR adds a known-desirable feature.
Checklist
$T ⇔ Proto$T
mapping (possibly in a backwards-incompatible way) and therefore is tagged with aT-proto
label.