On Sat, May 1, 2021 at 5:26 AM Bingyu Shen <ahshenbin...@gmail.com> wrote: > Hi hackers, > > I was wondering if we can improve the error messages for acl permission > failures. > Current implementation to report errors is in "backend/catalog/aclchk.c" > void aclcheck_error(AclResult aclerr, ObjectType objtype, const char > *objectname); > > based on the AclResult type, it print log messages like > "permission denied for schema %s" > which tells the admins what could be the domain of the permission-deny, > like table name or schema name. > > However, I find that the log messages *lack* more details, i.e., the > *exact permission* that causes the permission-deny. For the novice users, > they may end up over-granting the permission to fix the issues > and cause security vulnerability in the database. > > I think the log messages can be better if we add some diagnostic > information like which *role* is denied and what *permission* it lacks. > This way the users know which permission to grant exactly > without the trial-and-errors.
I think it's easy for users (even if they are novice) to know exactly what permission they are lacking by just looking at the query. See, the permissions we have in parsenodes.h with ACL_XXXX, they are quite clear and can be understood by the type of query. So, I don't think printing that obvious information in the log message is something we would want to improve. To know the current role with which the query is run, users can use CURRENT_ROLE or pg_roles. With Regards, Bharath Rupireddy. EnterpriseDB: http://www.enterprisedb.com
