BUG #18934: Even with WITH ADMIN OPTION, I Cannot Manage Role Memberships
| От | PG Bug reporting form |
|---|---|
| Тема | BUG #18934: Even with WITH ADMIN OPTION, I Cannot Manage Role Memberships |
| Дата | |
| Msg-id | 18934-67d2e90068801d2b@postgresql.org обсуждение исходный текст |
| Ответы |
Re: BUG #18934: Even with WITH ADMIN OPTION, I Cannot Manage Role Memberships
|
| Список | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 18934
Logged by: Luis Couto
Email address: snaperling@gmail.com
PostgreSQL version: 16.8
Operating system: Windows 10
Description:
In PostgreSQL, I have a role hierarchy involving a user and two group roles:
Roles:
tester1@something — a user role (not superuser)
user_manager — an intermediate group role
user_group — the target group role whose membership I want to manage
| Role | Member Of | `WITH ADMIN
OPTION` |
| `tester1@something` | `user_manager` | YES
|
| `user_manager` | `user_group` | YES
|
In this configuration:
tester1@something should be able to add/remove members from user_group.
But it cannot — GRANT or REVOKE on user_group fails.
Even though tester1@something has full admin rights on user_manager, and
user_manager has admin rights on user_group.
Role Setup (After Manual Fix)
When I run:
REVOKE ADMIN OPTION FOR user_group FROM user_manager;
So that now:
Role Member Of WITH ADMIN OPTION
tester1@something user_manager YES
user_manager user_group NO
Now, unexpectedly:
tester1@something can add and remove members from user_group.
Even though no role in the chain has WITH ADMIN OPTION on user_group.
Summary of the Two Issues
1. Main Issue (Unexpected Restriction):
When user_manager has WITH ADMIN OPTION on user_group, and I (as
tester1@something) have WITH ADMIN OPTION on user_manager, I cannot manage
user_group.
This is confusing — PostgreSQL should allow it, as both admin links are
present. (maybe I'm getting something wrong)
2. Secondary Issue (Unexpected Permission Grant):
If I revoke admin option from user_manager on user_group, suddenly I can
manage user_group from tester1@something.
This contradicts the documented need for WITH ADMIN OPTION and appears to
expose a privilege inconsistency or escalation.
What could be happening?
Thank you in advance,
Luis Couto
В списке pgsql-bugs по дате отправления: