SET ROLE documentation not entirely correct

Поиск
Список
Период
Сортировка
От PG Doc comments form
Тема SET ROLE documentation not entirely correct
Дата
Msg-id 155603476764.1372.10888362840885095061@wrigleys.postgresql.org
обсуждение исходный текст
Ответы Re: SET ROLE documentation not entirely correct
Список pgsql-docs
Дерево обсуждения 
The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/11/sql-set-role.html
Description:

In the course of trying to sanitise our roles and permissions I found the
notes in the SET ROLE docs a little misleading:

"If the session user role has the INHERITS attribute, then it automatically
has all the privileges of every role that it could SET ROLE to; in this case
SET ROLE effectively drops all the privileges assigned directly to the
session user and to the other roles it is a member of, leaving only the
privileges available to the named role."

This doesn't seem to be true. Consider the following:

CREATE ROLE userrole INHERIT LOGIN;
CREATE ROLE usergroup NOINHERIT NOLOGIN;
GRANT usergroup TO userrole;
CREATE ROLE sensitive;
GRANT sensitive TO usergroup;

SET SESSION AUTHORIZATION userrole;

SELECT session_user, current_user, rolinherit, pg_has_role('sensitive',
'USAGE') as usage, pg_has_role('sensitive', 'MEMBER') as member
FROM pg_roles
WHERE rolname = session_user;

+--------------+--------------+------------+-------+--------+
| session_user | current_user | rolinherit | usage | member |
+--------------+--------------+------------+-------+--------+
| userrole     | userrole     | True       | False | True   |
+--------------+--------------+------------+-------+--------+

Here the session role 'userrole' has the INHERITS attribute, and can SET
ROLE to 'sensitive', but contrary to the docs it does not automatically have
the privileges associated with 'sensitive'. The intermediate 'usergroup'
NOINHERIT role blocks automatic inheritance. 
That can be demonstrated like this:

SET ROLE sensitive;
SELECT session_user, current_user, rolinherit, pg_has_role('sensitive',
'USAGE') as usage, pg_has_role('sensitive', 'MEMBER') as member
FROM pg_roles
WHERE rolname = session_user;

+--------------+--------------+------------+-------+--------+
| session_user | current_user | rolinherit | usage | member |
+--------------+--------------+------------+-------+--------+
| userrole     | sensitive    | True       | True  | True   |
+--------------+--------------+------------+-------+--------+

(This is all on v11.2, in case it matters)

В списке pgsql-docs по дате отправления:

Предыдущее
От: Peter Eisentraut
Дата:
Сообщение: Re: Update section on NFS
Следующее
От: Tom Lane
Дата:
Сообщение: Re: Update section on NFS