On 11/21/22 15:39, Robert Haas wrote:
I'm curious to hear what other people think of these proposals, but let me first say what I think about them. First, I think it's clear that we need to do something, because things right now are pretty badly broken and in a way that affects security. Although these patches are not back-patchable, they at least promise to improve things as older versions go out of use.
+1
Second, it's possible that we should look for back-patchable fixes here, but I can't really see that we're going to come up with anything much better than just telling people not to use this feature against older releases, because back-patching catalog changes or dramatic behavior changes seems like a non-starter. In other words, I think this is going to be a master-only fix.
Yep, seems highly likely
Third, someone could well have a better or just different idea how to fix the problems in this area than what I'm proposing here. This is the best that I've been able to come up with so far, but that's not to say it's free of problems or that no improvements are possible.
On quick inspection I like what you have proposed and no significantly "better" ideas jump to mind. I will try to think on it though.
Finally, I think that whatever we do about the code, the documentation needs quite a bit of work, because the code is doing a lot of stuff that is security-critical and entirely non-obvious from the documentation. I have not in this version of these patches included any documentation changes and the regression test changes that I have included are quite minimal. That all needs to be fixed up before there could be any thought of moving forward with these patches. However, I thought it best to get rough patches and an outline of the proposed direction on the table first, before doing a lot of work refining things.
I have looked at, and even done some doc improvements in this area in the past, and concluded that it is simply hard to describe it in a clear, straightforward way.
There are multiple competing concepts (privs on objects, attributes of roles, membership, when things are inherited versus not, settings bound to roles, etc). I don't know what to do about it, but yeah, fixing the documentation would be a noble goal.
-- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com