Обсуждение: Why is_admin_of_role() use ROLERECURSE_MEMBERS rather than ROLERECURSE_PRIVS?

Hi,

When reading the code, I find is_admin_of_role() use ROLERECURSE_MEMBERS while select_best_admin() use ROLERECURSE_PRIVS.

Why they are dismatch?

The following case will have is_admin_of_role() return true and select_best_admin() return InvalidOid:

create user u1;

create user u2;

create user u3;

create user u4;

grant u2 to u1 with admin true ;

grant u3 to u2 with admin true ;

revoke inherit option for u2 from u1 ;

set session authorization u1;

grant u3 to u4;

The "grant u3 to u4;" will report error "no possible grantors" rather than "permission denied to grant role".

Is this the expected behavior?

--

Regards,

ChangAo Chen

Hi,

According to the comment in check_role_grantor():

            /*

             * Otherwise, the grantor must either have ADMIN OPTION on the role or

             * inherit the privileges of a role which does. In the former case,

             * record the grantor as the current user; in the latter, pick one of

             * the roles that is "most directly" inherited by the current role

             * (i.e. fewest "hops").

             *

             * (We shouldn't fail to find a best grantor, because we've already

             * established that the current user has permission to perform the

             * operation.)

             */

            grantorId = select_best_admin(currentUserId, roleid);

            if (!OidIsValid(grantorId))

                  elog(ERROR, "no possible grantors");

But the "no possible grantors" error can happen in my test case.

The main reason is that is_admin_of_role() and select_best_admin() use different role recurse methods.

I think they should keep consistent, maybe both use ROLERECURSE_PRIVS? Thoughts?

--

Regards,

ChangAo Chen

Hi,

I attach a small patch for this.

Looking forward to your review.

--

Regards,

ChangAo Chen