granted role
</para></entry>
</row>
+
+ <row>
+ <entry role="catalog_table_entry"><para role="column_definition">
+ <structfield>set_option</structfield> <type>bool</type>
+ </para>
+ <para>
+ True if the member can
+ <link linkend="sql-set-role"><command>SET ROLE</command></link>
+ to the granted role
+ </para></entry>
+ </row>
</tbody>
</tgroup>
</table>
<para>
Does user have privilege for role?
Allowable privilege types are
- <literal>MEMBER</literal> and <literal>USAGE</literal>.
+ <literal>MEMBER</literal>, <literal>USAGE</literal>,
+ and <literal>SET</literal>.
<literal>MEMBER</literal> denotes direct or indirect membership in
- the role (that is, the right to do <command>SET ROLE</command>), while
+ the role without regard to what specific privileges may be conferred.
<literal>USAGE</literal> denotes whether the privileges of the role
- are immediately available without doing <command>SET ROLE</command>.
+ are immediately available without doing <command>SET ROLE</command>,
+ while <literal>SET</literal> denotes whether it is possible to change
+ to the role using the <literal>SET ROLE</literal> command.
This function does not allow the special case of
setting <parameter>user</parameter> to <literal>public</literal>,
because the PUBLIC pseudo-role can never be a member of real roles.
[ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ]
GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replaceable class="parameter">role_specification</replaceable> [, ...]
- [ WITH { ADMIN | INHERIT } { OPTION | TRUE | FALSE } ]
+ [ WITH { ADMIN | INHERIT | SET } { OPTION | TRUE | FALSE } ]
[ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ]
<phrase>where <replaceable class="parameter">role_specification</replaceable> can be:</phrase>
<para>
This variant of the <command>GRANT</command> command grants membership
in a role to one or more other roles. Membership in a role is significant
- because it conveys the privileges granted to a role to each of its
- members.
+ because it potentially allows access to the privileges granted to a role
+ to each of its members, and potentially also the ability to make changes
+ to the role itself. However, the actualy permisions conferred depend on
+ the options associated with the grant.
</para>
<para>
- The effect of membership in a role can be modified by specifying the
- <literal>ADMIN</literal> or <literal>INHERIT</literal> option, each
- of which can be set to either <literal>TRUE</literal> or
- <literal>FALSE</literal>. The keyword <literal>OPTION</literal> is accepted
- as a synonym for <literal>TRUE</literal>, so that
- <literal>WITH ADMIN OPTION</literal>
+ Each of the options described below can be set to either
+ <literal>TRUE</literal> or <literal>FALSE</literal>. The keyword
+ <literal>OPTION</literal> is accepted as a synonym for
+ <literal>TRUE</literal>, so that <literal>WITH ADMIN OPTION</literal>
is a synonym for <literal>WITH ADMIN TRUE</literal>.
</para>
OPTION</literal> on itself. Database superusers can grant or revoke
membership in any role to anyone. Roles having
<literal>CREATEROLE</literal> privilege can grant or revoke membership
- in any role that is not a superuser.
+ in any role that is not a superuser. This option defaults to
+ <literal>FALSE</literal>.
</para>
<para>
See <link linkend="sql-createrole"><command>CREATE ROLE</command></link>.
</para>
+ <para>
+ The <literal>SET</literal> option, if it is set to
+ <literal>TRUE</literal>, allows the member to change to the granted
+ role using the
+ <link linkend="sql-set-role"><command>SET ROLE</command></link>
+ command. If a role is an indirect member of another role, it can use
+ <literal>SET ROLE</literal> to change to that role only if there is a
+ chain of grants each of which has <literal>SET TRUE</literal>.
+ This option defaults to <literal>TRUE</literal>.
+ </para>
+
<para>
If <literal>GRANTED BY</literal> is specified, the grant is recorded as
having been done by the specified role. A user can only attribute a grant
[ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ]
[ CASCADE | RESTRICT ]
-REVOKE [ { ADMIN | INHERIT } OPTION FOR ]
+REVOKE [ { ADMIN | INHERIT | SET } OPTION FOR ]
<replaceable class="parameter">role_name</replaceable> [, ...] FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
[ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ]
[ CASCADE | RESTRICT ]
<para>
Just as <literal>ADMIN OPTION</literal> can be removed from an existing
- role grant, it is also possible to revoke <literal>INHERIT OPTION</literal>.
- This is equivalent to setting the value of that option to
- <literal>FALSE</literal>.
+ role grant, it is also possible to revoke <literal>INHERIT OPTION</literal>
+ or <literal>SET OPTION</literal>. This is equivalent to setting the value
+ of the corresponding option to <literal>FALSE</literal>.
</para>
</refsect1>
effectively drops all the privileges except for those which the target role
directly possesses or inherits. On the other hand, if the session user role
has been granted memberships <literal>WITH INHERIT FALSE</literal>, the
- privileges of the granted roles can't be accessed by default. However, the
+ privileges of the granted roles can't be accessed by default. However, if
+ the role was granted <literal>WITH SET TRUE</literal>, the
session user can use <command>SET ROLE</command> to drop the privileges
assigned directly to the session user and instead acquire the privileges
- available to the named role.
+ available to the named role. If the role was granted <literal>WITH INHERIT
+ FALSE, SET FALSE</literal> then the privileges of that role cannot be
+ exercised either with or without <literal>SET ROLE</literal>.
</para>
<para>
- In particular, when a superuser chooses to <command>SET ROLE</command> to a
+ Note that when a superuser chooses to <command>SET ROLE</command> to a
non-superuser role, they lose their superuser privileges.
</para>
<para>
The members of a group role can use the privileges of the role in two
- ways. First, every member of a group can explicitly do
+ ways. First, member roles that have been granted membership with the
+ <literal>SET</literal> option can do
<link linkend="sql-set-role"><command>SET ROLE</command></link> to
temporarily <quote>become</quote> the group role. In this state, the
database session has access to the privileges of the group role rather
CREATE ROLE joe LOGIN;
CREATE ROLE admin;
CREATE ROLE wheel;
+CREATE ROLE island;
GRANT admin TO joe WITH INHERIT TRUE;
GRANT wheel TO admin WITH INHERIT FALSE;
+GRANT island TO joe WITH INHERIT TRUE, SET FALSE;
</programlisting>
Immediately after connecting as role <literal>joe</literal>, a database
session will have use of privileges granted directly to <literal>joe</literal>
- plus any privileges granted to <literal>admin</literal>, because <literal>joe</literal>
- <quote>inherits</quote> <literal>admin</literal>'s privileges. However, privileges
+ plus any privileges granted to <literal>admin</literal> and
+ <literal>island</literal>, because <literal>joe</literal>
+ <quote>inherits</quote> those privileges. However, privileges
granted to <literal>wheel</literal> are not available, because even though
<literal>joe</literal> is indirectly a member of <literal>wheel</literal>, the
membership is via <literal>admin</literal> which was granted using
SET ROLE admin;
</programlisting>
the session would have use of only those privileges granted to
- <literal>admin</literal>, and not those granted to <literal>joe</literal>. After:
+ <literal>admin</literal>, and not those granted to <literal>joe</literal> or
+ <literal>island</literal>. After:
<programlisting>
SET ROLE wheel;
</programlisting>
<note>
<para>
The <command>SET ROLE</command> command always allows selecting any role
- that the original login role is directly or indirectly a member of.
+ that the original login role is directly or indirectly a member of,
+ provided that there is a chain of membership grants each of which has
+ <literal>SET TRUE</literal> (which is the default).
Thus, in the above example, it is not necessary to become
<literal>admin</literal> before becoming <literal>wheel</literal>.
+ On the other hand, it is not possible to become <literal>island</literal>
+ at all; <literal>joe</literal> can only access those privileges via
+ inheritance.
</para>
</note>
objname);
}
/* Must be able to become new owner */
- check_is_member_of_role(GetUserId(), new_ownerId);
+ check_can_set_role(GetUserId(), new_ownerId);
/* New owner must have CREATE privilege on namespace */
if (OidIsValid(namespaceId))
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("permission denied to create database")));
- check_is_member_of_role(GetUserId(), datdba);
+ check_can_set_role(GetUserId(), datdba);
/*
* Lookup database (template) to be cloned, and obtain share lock on it.
dbname);
/* Must be able to become new owner */
- check_is_member_of_role(GetUserId(), newOwnerId);
+ check_can_set_role(GetUserId(), newOwnerId);
/*
* must have createdb rights
NameStr(form->srvname));
/* Must be able to become new owner */
- check_is_member_of_role(GetUserId(), newOwnerId);
+ check_can_set_role(GetUserId(), newOwnerId);
/* New owner must have USAGE privilege on foreign-data wrapper */
aclresult = object_aclcheck(ForeignDataWrapperRelationId, form->srvfdw, newOwnerId, ACL_USAGE);
NameStr(form->pubname));
/* Must be able to become new owner */
- check_is_member_of_role(GetUserId(), newOwnerId);
+ check_can_set_role(GetUserId(), newOwnerId);
/* New owner must have CREATE privilege on database */
aclresult = object_aclcheck(DatabaseRelationId, MyDatabaseId, newOwnerId, ACL_CREATE);
aclcheck_error(aclresult, OBJECT_DATABASE,
get_database_name(MyDatabaseId));
- check_is_member_of_role(saved_uid, owner_uid);
+ check_can_set_role(saved_uid, owner_uid);
/* Additional check to protect reserved schema names */
if (!allowSystemTableMods && IsReservedName(schemaName))
NameStr(nspForm->nspname));
/* Must be able to become new owner */
- check_is_member_of_role(GetUserId(), newOwnerId);
+ check_can_set_role(GetUserId(), newOwnerId);
/*
* must have create-schema rights
RelationGetRelationName(target_rel));
/* Must be able to become new owner */
- check_is_member_of_role(GetUserId(), newOwnerId);
+ check_can_set_role(GetUserId(), newOwnerId);
/* New owner must have CREATE privilege on namespace */
aclresult = object_aclcheck(NamespaceRelationId, namespaceOid, newOwnerId,
aclcheck_error_type(ACLCHECK_NOT_OWNER, typTup->oid);
/* Must be able to become new owner */
- check_is_member_of_role(GetUserId(), newOwnerId);
+ check_can_set_role(GetUserId(), newOwnerId);
/* New owner must have CREATE privilege on namespace */
aclresult = object_aclcheck(NamespaceRelationId, typTup->typnamespace,
* RRG_REMOVE_ADMIN_OPTION indicates a grant that would need to have
* admin_option set to false by the operation.
*
- * RRG_REMOVE_INHERIT_OPTION indicates a grant that would need to have
- * inherit_option set to false by the operation.
+ * Similarly, RRG_REMOVE_INHERIT_OPTION and RRG_REMOVE_SET_OPTION indicate
+ * grants that would need to have the corresponding options set to false.
*
* RRG_DELETE_GRANT indicates a grant that would need to be removed entirely
* by the operation.
RRG_NOOP,
RRG_REMOVE_ADMIN_OPTION,
RRG_REMOVE_INHERIT_OPTION,
+ RRG_REMOVE_SET_OPTION,
RRG_DELETE_GRANT
} RevokeRoleGrantAction;
unsigned specified;
bool admin;
bool inherit;
+ bool set;
} GrantRoleOptions;
#define GRANT_ROLE_SPECIFIED_ADMIN 0x0001
#define GRANT_ROLE_SPECIFIED_INHERIT 0x0002
+#define GRANT_ROLE_SPECIFIED_SET 0x0004
/* GUC parameter */
int Password_encryption = PASSWORD_TYPE_SCRAM_SHA_256;
if (parse_bool(optval, &popt.inherit))
continue;
}
+ else if (strcmp(opt->defname, "set") == 0)
+ {
+ popt.specified |= GRANT_ROLE_SPECIFIED_SET;
+ if (parse_bool(optval, &popt.set))
+ continue;
+ }
else
ereport(ERROR,
errcode(ERRCODE_SYNTAX_ERROR),
at_least_one_change = true;
}
+ if ((popt->specified & GRANT_ROLE_SPECIFIED_SET) != 0
+ && authmem_form->set_option != popt->set)
+ {
+ new_record[Anum_pg_auth_members_set_option - 1] =
+ BoolGetDatum(popt->set);
+ new_record_repl[Anum_pg_auth_members_set_option - 1] =
+ true;
+ at_least_one_change = true;
+ }
+
if (!at_least_one_change)
{
ereport(NOTICE,
Oid objectId;
Oid *newmembers = palloc(sizeof(Oid));
- /* Set admin option if user set it to true, otherwise not. */
+ /*
+ * The values for these options can be taken directly from 'popt'.
+ * Either they were specified, or the defaults as set by
+ * InitGrantRoleOptions are correct.
+ */
new_record[Anum_pg_auth_members_admin_option - 1] =
BoolGetDatum(popt->admin);
+ new_record[Anum_pg_auth_members_set_option - 1] =
+ BoolGetDatum(popt->set);
/*
* If the user specified a value for the inherit option, use
new_record_repl[Anum_pg_auth_members_inherit_option - 1] =
true;
}
+ else if (actions[i] == RRG_REMOVE_SET_OPTION)
+ {
+ new_record[Anum_pg_auth_members_set_option - 1] =
+ BoolGetDatum(false);
+ new_record_repl[Anum_pg_auth_members_set_option - 1] =
+ true;
+ }
else
elog(ERROR, "unknown role revoke action");
*/
actions[i] = RRG_REMOVE_INHERIT_OPTION;
}
+ else if ((popt->specified & GRANT_ROLE_SPECIFIED_SET) != 0)
+ {
+ /* Here too, no need to recurse. */
+ actions[i] = RRG_REMOVE_SET_OPTION;
+ }
else
{
bool revoke_admin_option_only;
popt->specified = 0;
popt->admin = false;
popt->inherit = false;
+ popt->set = true;
}
* leader's state.
*/
if (!InitializingParallelWorker &&
- !is_member_of_role(GetSessionUserId(), roleid))
+ !member_can_set_role(GetSessionUserId(), roleid))
{
if (source == PGC_S_TEST)
{
*
* Each element of cached_roles is an OID list of constituent roles for the
* corresponding element of cached_role (always including the cached_role
- * itself). One cache has ROLERECURSE_PRIVS semantics, and the other has
- * ROLERECURSE_MEMBERS semantics.
+ * itself). There's a separate cache for each RoleRecurseType, with the
+ * corresponding semantics.
*/
enum RoleRecurseType
{
- ROLERECURSE_PRIVS = 0, /* recurse through inheritable grants */
- ROLERECURSE_MEMBERS = 1 /* recurse unconditionally */
+ ROLERECURSE_MEMBERS = 0, /* recurse unconditionally */
+ ROLERECURSE_PRIVS = 1, /* recurse through inheritable grants */
+ ROLERECURSE_SETROLE = 2 /* recurse through grants with set_option */
};
-static Oid cached_role[] = {InvalidOid, InvalidOid};
-static List *cached_roles[] = {NIL, NIL};
+static Oid cached_role[] = {InvalidOid, InvalidOid, InvalidOid};
+static List *cached_roles[] = {NIL, NIL, NIL};
static uint32 cached_db_hash;
static const priv_map role_priv_map[] = {
{"USAGE", ACL_USAGE},
{"MEMBER", ACL_CREATE},
+ {"SET", ACL_SET},
{"USAGE WITH GRANT OPTION", ACL_GRANT_OPTION_FOR(ACL_CREATE)},
{"USAGE WITH ADMIN OPTION", ACL_GRANT_OPTION_FOR(ACL_CREATE)},
{"MEMBER WITH GRANT OPTION", ACL_GRANT_OPTION_FOR(ACL_CREATE)},
{"MEMBER WITH ADMIN OPTION", ACL_GRANT_OPTION_FOR(ACL_CREATE)},
+ {"SET WITH GRANT OPTION", ACL_GRANT_OPTION_FOR(ACL_CREATE)},
+ {"SET WITH ADMIN OPTION", ACL_GRANT_OPTION_FOR(ACL_CREATE)},
{NULL, 0}
};
if (has_privs_of_role(roleid, role_oid))
return ACLCHECK_OK;
}
+ if (mode & ACL_SET)
+ {
+ if (member_can_set_role(roleid, role_oid))
+ return ACLCHECK_OK;
+ }
return ACLCHECK_NO_PRIV;
}
}
/* Force membership caches to be recomputed on next use */
- cached_role[ROLERECURSE_PRIVS] = InvalidOid;
cached_role[ROLERECURSE_MEMBERS] = InvalidOid;
+ cached_role[ROLERECURSE_PRIVS] = InvalidOid;
+ cached_role[ROLERECURSE_SETROLE] = InvalidOid;
}
/*
* Get a list of roles that the specified roleid is a member of
*
- * Type ROLERECURSE_PRIVS recurses only through inheritable grants,
- * while ROLERECURSE_MEMBERS recurses through all grants.
+ * Type ROLERECURSE_MEMBERS recurses through all grants; ROLERECURSE_PRIVS
+ * recurses only through inheritable grants; and ROLERECURSE_SETROLe recurses
+ * only through grants with set_option.
*
* Since indirect membership testing is relatively expensive, we cache
* a list of memberships. Hence, the result is only guaranteed good until
if (type == ROLERECURSE_PRIVS && !form->inherit_option)
continue;
+ /* If we're supposed to ignore non-SET grants, do so. */
+ if (type == ROLERECURSE_SETROLE && !form->set_option)
+ continue;
+
/*
* Even though there shouldn't be any loops in the membership
* graph, we must test for having already seen this role. It is
/*
* Does member have the privileges of role (directly or indirectly)?
*
- * This is defined not to recurse through grants that are not inherited;
- * in such cases, membership implies the ability to do SET ROLE, but
- * the privileges are not available until you've done so.
+ * This is defined not to recurse through grants that are not inherited,
+ * and only inherited grants confer the associated privileges automatically.
+ *
+ * See also member_can_set_role, below.
*/
bool
has_privs_of_role(Oid member, Oid role)
role);
}
-
/*
- * Is member a member of role (directly or indirectly)?
+ * Can member use SET ROLE to this role?
*
- * This is defined to recurse through grants whether they are inherited or not.
+ * There must be a chain of grants from 'member' to 'role' each of which
+ * permits SET ROLE; that is, each of which has set_option = true.
*
- * Do not use this for privilege checking, instead use has_privs_of_role()
+ * It doesn't matter whether the grants are inheritable. That's a separate
+ * question; see has_privs_of_role.
+ *
+ * This function should be used to determine whether the session user can
+ * use SET ROLE to become the target user. We also use it to determine whether
+ * the session user can change an existing object to be owned by the target
+ * user, or create new objects owned by the target user.
*/
bool
-is_member_of_role(Oid member, Oid role)
+member_can_set_role(Oid member, Oid role)
{
/* Fast path for simple case */
if (member == role)
return true;
- /* Superusers have every privilege, so are part of every role */
+ /* Superusers have every privilege, so can always SET ROLE */
if (superuser_arg(member))
return true;
/*
- * Find all the roles that member is a member of, including multi-level
- * recursion, then see if target role is any one of them.
+ * Find all the roles that member can access via SET ROLE, including
+ * multi-level recursion, then see if target role is any one of them.
*/
- return list_member_oid(roles_is_member_of(member, ROLERECURSE_MEMBERS,
+ return list_member_oid(roles_is_member_of(member, ROLERECURSE_SETROLE,
InvalidOid, NULL),
role);
}
/*
- * check_is_member_of_role
- * is_member_of_role with a standard permission-violation error if not
+ * Permission violation eror unless able to SET ROLE to target role.
*/
void
-check_is_member_of_role(Oid member, Oid role)
+check_can_set_role(Oid member, Oid role)
{
- if (!is_member_of_role(member, role))
+ if (!member_can_set_role(member, role))
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
- errmsg("must be member of role \"%s\"",
+ errmsg("must be able to SET ROLE \"%s\"",
GetUserNameFromId(role, false))));
}
+/*
+ * Is member a member of role (directly or indirectly)?
+ *
+ * This is defined to recurse through grants whether they are inherited or not.
+ *
+ * Do not use this for privilege checking, instead use has_privs_of_role().
+ * Don't use it for determining whether it's possible to SET ROLE to some
+ * other role; for that, use member_can_set_role(). And don't use it for
+ * determining whether it's OK to create an object owned by some other role:
+ * use member_can_set_role() for that, too.
+ *
+ * In short, calling this function is the wrong thing to do nearly everywhere.
+ */
+bool
+is_member_of_role(Oid member, Oid role)
+{
+ /* Fast path for simple case */
+ if (member == role)
+ return true;
+
+ /* Superusers have every privilege, so are part of every role */
+ if (superuser_arg(member))
+ return true;
+
+ /*
+ * Find all the roles that member is a member of, including multi-level
+ * recursion, then see if target role is any one of them.
+ */
+ return list_member_oid(roles_is_member_of(member, ROLERECURSE_MEMBERS,
+ InvalidOid, NULL),
+ role);
+}
+
/*
* Is member a member of role, not considering superuserness?
*
end,
total;
bool dump_grantors;
- bool dump_inherit_option;
+ bool dump_grant_options;
int i_inherit_option;
+ int i_set_option;
/*
* Previous versions of PostgreSQL didn't used to track the grantor very
dump_grantors = (PQserverVersion(conn) >= 160000);
/*
- * Previous versions of PostgreSQL also did not have a grant-level
+ * Previous versions of PostgreSQL also did not have grant-level options.
* INHERIT option.
*/
- dump_inherit_option = (server_version >= 160000);
+ dump_grant_options = (server_version >= 160000);
/* Generate and execute query. */
printfPQExpBuffer(buf, "SELECT ur.rolname AS role, "
"ug.oid AS grantorid, "
"ug.rolname AS grantor, "
"a.admin_option");
- if (dump_inherit_option)
- appendPQExpBufferStr(buf, ", a.inherit_option");
+ if (dump_grant_options)
+ appendPQExpBufferStr(buf, ", a.inherit_option, a.set_option");
appendPQExpBuffer(buf, " FROM pg_auth_members a "
"LEFT JOIN %s ur on ur.oid = a.roleid "
"LEFT JOIN %s um on um.oid = a.member "
"ORDER BY 1,2,4", role_catalog, role_catalog, role_catalog);
res = executeQuery(conn, buf->data);
i_inherit_option = PQfnumber(res, "inherit_option");
+ i_set_option = PQfnumber(res, "set_option");
if (PQntuples(res) > 0)
fprintf(OPF, "--\n-- Role memberships\n--\n\n");
char *admin_option;
char *grantorid;
char *grantor;
+ char *set_option = "true";
bool found;
/* If we already did this grant, don't do it again. */
grantorid = PQgetvalue(res, i, 2);
grantor = PQgetvalue(res, i, 3);
admin_option = PQgetvalue(res, i, 4);
+ if (dump_grant_options)
+ set_option = PQgetvalue(res, i, i_set_option);
/*
* If we're not dumping grantors or if the grantor is the
fprintf(OPF, " TO %s", fmtId(member));
if (*admin_option == 't')
appendPQExpBufferStr(optbuf, "ADMIN OPTION");
- if (dump_inherit_option)
+ if (dump_grant_options)
{
char *inherit_option;
*inherit_option == 't' ?
"TRUE" : "FALSE");
}
+ if (*set_option != 't')
+ {
+ if (optbuf->data[0] != '\0')
+ appendPQExpBufferStr(optbuf, ", ");
+ appendPQExpBuffer(optbuf, "SET FALSE");
+ }
if (optbuf->data[0] != '\0')
fprintf(OPF, " WITH %s", optbuf->data);
if (dump_grantors)
Oid grantor BKI_LOOKUP(pg_authid); /* who granted the membership */
bool admin_option; /* granted with admin option? */
bool inherit_option; /* exercise privileges without SET ROLE? */
+ bool set_option; /* use SET ROLE to the target role? */
} FormData_pg_auth_members;
/* ----------------
extern int aclmembers(const Acl *acl, Oid **roleids);
extern bool has_privs_of_role(Oid member, Oid role);
+extern bool member_can_set_role(Oid member, Oid role);
+extern void check_can_set_role(Oid member, Oid role);
extern bool is_member_of_role(Oid member, Oid role);
extern bool is_member_of_role_nosuper(Oid member, Oid role);
extern bool is_admin_of_role(Oid member, Oid role);
extern Oid select_best_admin(Oid member, Oid role);
-extern void check_is_member_of_role(Oid member, Oid role);
extern Oid get_role_oid(const char *rolname, bool missing_ok);
extern Oid get_role_oid_or_public(const char *rolname);
extern Oid get_rolespec_oid(const RoleSpec *role, bool missing_ok);
ERROR: function alt_func2(integer) already exists in schema "alt_nsp1"
ALTER FUNCTION alt_func1(int) RENAME TO alt_func3; -- OK
ALTER FUNCTION alt_func2(int) OWNER TO regress_alter_generic_user2; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user2"
+ERROR: must be able to SET ROLE "regress_alter_generic_user2"
ALTER FUNCTION alt_func2(int) OWNER TO regress_alter_generic_user3; -- OK
ALTER FUNCTION alt_func2(int) SET SCHEMA alt_nsp1; -- OK, already there
ALTER FUNCTION alt_func2(int) SET SCHEMA alt_nsp2; -- OK
ERROR: function alt_agg2(integer) already exists in schema "alt_nsp1"
ALTER AGGREGATE alt_agg1(int) RENAME TO alt_agg3; -- OK
ALTER AGGREGATE alt_agg2(int) OWNER TO regress_alter_generic_user2; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user2"
+ERROR: must be able to SET ROLE "regress_alter_generic_user2"
ALTER AGGREGATE alt_agg2(int) OWNER TO regress_alter_generic_user3; -- OK
ALTER AGGREGATE alt_agg2(int) SET SCHEMA alt_nsp2; -- OK
SET SESSION AUTHORIZATION regress_alter_generic_user2;
ALTER FUNCTION alt_func3(int) OWNER TO regress_alter_generic_user2; -- failed (not owner)
ERROR: must be owner of function alt_func3
ALTER FUNCTION alt_func2(int) OWNER TO regress_alter_generic_user3; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user3"
+ERROR: must be able to SET ROLE "regress_alter_generic_user3"
ALTER FUNCTION alt_func3(int) SET SCHEMA alt_nsp2; -- failed (not owner)
ERROR: must be owner of function alt_func3
ALTER FUNCTION alt_func2(int) SET SCHEMA alt_nsp2; -- failed (name conflicts)
ALTER AGGREGATE alt_agg3(int) OWNER TO regress_alter_generic_user2; -- failed (not owner)
ERROR: must be owner of function alt_agg3
ALTER AGGREGATE alt_agg2(int) OWNER TO regress_alter_generic_user3; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user3"
+ERROR: must be able to SET ROLE "regress_alter_generic_user3"
ALTER AGGREGATE alt_agg3(int) SET SCHEMA alt_nsp2; -- failed (not owner)
ERROR: must be owner of function alt_agg3
ALTER AGGREGATE alt_agg2(int) SET SCHEMA alt_nsp2; -- failed (name conflict)
ERROR: conversion "alt_conv2" already exists in schema "alt_nsp1"
ALTER CONVERSION alt_conv1 RENAME TO alt_conv3; -- OK
ALTER CONVERSION alt_conv2 OWNER TO regress_alter_generic_user2; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user2"
+ERROR: must be able to SET ROLE "regress_alter_generic_user2"
ALTER CONVERSION alt_conv2 OWNER TO regress_alter_generic_user3; -- OK
ALTER CONVERSION alt_conv2 SET SCHEMA alt_nsp2; -- OK
SET SESSION AUTHORIZATION regress_alter_generic_user2;
ALTER CONVERSION alt_conv3 OWNER TO regress_alter_generic_user2; -- failed (not owner)
ERROR: must be owner of conversion alt_conv3
ALTER CONVERSION alt_conv2 OWNER TO regress_alter_generic_user3; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user3"
+ERROR: must be able to SET ROLE "regress_alter_generic_user3"
ALTER CONVERSION alt_conv3 SET SCHEMA alt_nsp2; -- failed (not owner)
ERROR: must be owner of conversion alt_conv3
ALTER CONVERSION alt_conv2 SET SCHEMA alt_nsp2; -- failed (name conflict)
ALTER LANGUAGE alt_lang2 OWNER TO regress_alter_generic_user3; -- failed (not owner)
ERROR: must be owner of language alt_lang2
ALTER LANGUAGE alt_lang3 OWNER TO regress_alter_generic_user2; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user2"
+ERROR: must be able to SET ROLE "regress_alter_generic_user2"
ALTER LANGUAGE alt_lang3 OWNER TO regress_alter_generic_user3; -- OK
RESET SESSION AUTHORIZATION;
SELECT lanname, a.rolname
CREATE OPERATOR @-@ ( leftarg = int4, rightarg = int4, procedure = int4mi );
CREATE OPERATOR @+@ ( leftarg = int4, rightarg = int4, procedure = int4pl );
ALTER OPERATOR @+@(int4, int4) OWNER TO regress_alter_generic_user2; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user2"
+ERROR: must be able to SET ROLE "regress_alter_generic_user2"
ALTER OPERATOR @+@(int4, int4) OWNER TO regress_alter_generic_user3; -- OK
ALTER OPERATOR @-@(int4, int4) SET SCHEMA alt_nsp2; -- OK
SET SESSION AUTHORIZATION regress_alter_generic_user2;
ALTER OPERATOR @+@(int4, int4) OWNER TO regress_alter_generic_user2; -- failed (not owner)
ERROR: must be owner of operator @+@
ALTER OPERATOR @-@(int4, int4) OWNER TO regress_alter_generic_user3; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user3"
+ERROR: must be able to SET ROLE "regress_alter_generic_user3"
ALTER OPERATOR @+@(int4, int4) SET SCHEMA alt_nsp2; -- failed (not owner)
ERROR: must be owner of operator @+@
-- can't test this: the error message includes the raw oid of namespace
ERROR: operator family "alt_opf2" for access method "hash" already exists in schema "alt_nsp1"
ALTER OPERATOR FAMILY alt_opf1 USING hash RENAME TO alt_opf3; -- OK
ALTER OPERATOR FAMILY alt_opf2 USING hash OWNER TO regress_alter_generic_user2; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user2"
+ERROR: must be able to SET ROLE "regress_alter_generic_user2"
ALTER OPERATOR FAMILY alt_opf2 USING hash OWNER TO regress_alter_generic_user3; -- OK
ALTER OPERATOR FAMILY alt_opf2 USING hash SET SCHEMA alt_nsp2; -- OK
ALTER OPERATOR CLASS alt_opc1 USING hash RENAME TO alt_opc2; -- failed (name conflict)
ERROR: operator class "alt_opc2" for access method "hash" already exists in schema "alt_nsp1"
ALTER OPERATOR CLASS alt_opc1 USING hash RENAME TO alt_opc3; -- OK
ALTER OPERATOR CLASS alt_opc2 USING hash OWNER TO regress_alter_generic_user2; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user2"
+ERROR: must be able to SET ROLE "regress_alter_generic_user2"
ALTER OPERATOR CLASS alt_opc2 USING hash OWNER TO regress_alter_generic_user3; -- OK
ALTER OPERATOR CLASS alt_opc2 USING hash SET SCHEMA alt_nsp2; -- OK
RESET SESSION AUTHORIZATION;
ALTER OPERATOR FAMILY alt_opf3 USING hash OWNER TO regress_alter_generic_user2; -- failed (not owner)
ERROR: must be owner of operator family alt_opf3
ALTER OPERATOR FAMILY alt_opf2 USING hash OWNER TO regress_alter_generic_user3; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user3"
+ERROR: must be able to SET ROLE "regress_alter_generic_user3"
ALTER OPERATOR FAMILY alt_opf3 USING hash SET SCHEMA alt_nsp2; -- failed (not owner)
ERROR: must be owner of operator family alt_opf3
ALTER OPERATOR FAMILY alt_opf2 USING hash SET SCHEMA alt_nsp2; -- failed (name conflict)
ALTER OPERATOR CLASS alt_opc3 USING hash OWNER TO regress_alter_generic_user2; -- failed (not owner)
ERROR: must be owner of operator class alt_opc3
ALTER OPERATOR CLASS alt_opc2 USING hash OWNER TO regress_alter_generic_user3; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user3"
+ERROR: must be able to SET ROLE "regress_alter_generic_user3"
ALTER OPERATOR CLASS alt_opc3 USING hash SET SCHEMA alt_nsp2; -- failed (not owner)
ERROR: must be owner of operator class alt_opc3
ALTER OPERATOR CLASS alt_opc2 USING hash SET SCHEMA alt_nsp2; -- failed (name conflict)
ERROR: statistics object "alt_stat2" already exists in schema "alt_nsp1"
ALTER STATISTICS alt_stat1 RENAME TO alt_stat3; -- OK
ALTER STATISTICS alt_stat2 OWNER TO regress_alter_generic_user2; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user2"
+ERROR: must be able to SET ROLE "regress_alter_generic_user2"
ALTER STATISTICS alt_stat2 OWNER TO regress_alter_generic_user3; -- OK
ALTER STATISTICS alt_stat2 SET SCHEMA alt_nsp2; -- OK
SET SESSION AUTHORIZATION regress_alter_generic_user2;
ALTER STATISTICS alt_stat3 OWNER TO regress_alter_generic_user2; -- failed (not owner)
ERROR: must be owner of statistics object alt_stat3
ALTER STATISTICS alt_stat2 OWNER TO regress_alter_generic_user3; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user3"
+ERROR: must be able to SET ROLE "regress_alter_generic_user3"
ALTER STATISTICS alt_stat3 SET SCHEMA alt_nsp2; -- failed (not owner)
ERROR: must be owner of statistics object alt_stat3
ALTER STATISTICS alt_stat2 SET SCHEMA alt_nsp2; -- failed (name conflict)
ERROR: text search dictionary "alt_ts_dict2" already exists in schema "alt_nsp1"
ALTER TEXT SEARCH DICTIONARY alt_ts_dict1 RENAME TO alt_ts_dict3; -- OK
ALTER TEXT SEARCH DICTIONARY alt_ts_dict2 OWNER TO regress_alter_generic_user2; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user2"
+ERROR: must be able to SET ROLE "regress_alter_generic_user2"
ALTER TEXT SEARCH DICTIONARY alt_ts_dict2 OWNER TO regress_alter_generic_user3; -- OK
ALTER TEXT SEARCH DICTIONARY alt_ts_dict2 SET SCHEMA alt_nsp2; -- OK
SET SESSION AUTHORIZATION regress_alter_generic_user2;
ALTER TEXT SEARCH DICTIONARY alt_ts_dict3 OWNER TO regress_alter_generic_user2; -- failed (not owner)
ERROR: must be owner of text search dictionary alt_ts_dict3
ALTER TEXT SEARCH DICTIONARY alt_ts_dict2 OWNER TO regress_alter_generic_user3; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user3"
+ERROR: must be able to SET ROLE "regress_alter_generic_user3"
ALTER TEXT SEARCH DICTIONARY alt_ts_dict3 SET SCHEMA alt_nsp2; -- failed (not owner)
ERROR: must be owner of text search dictionary alt_ts_dict3
ALTER TEXT SEARCH DICTIONARY alt_ts_dict2 SET SCHEMA alt_nsp2; -- failed (name conflict)
ERROR: text search configuration "alt_ts_conf2" already exists in schema "alt_nsp1"
ALTER TEXT SEARCH CONFIGURATION alt_ts_conf1 RENAME TO alt_ts_conf3; -- OK
ALTER TEXT SEARCH CONFIGURATION alt_ts_conf2 OWNER TO regress_alter_generic_user2; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user2"
+ERROR: must be able to SET ROLE "regress_alter_generic_user2"
ALTER TEXT SEARCH CONFIGURATION alt_ts_conf2 OWNER TO regress_alter_generic_user3; -- OK
ALTER TEXT SEARCH CONFIGURATION alt_ts_conf2 SET SCHEMA alt_nsp2; -- OK
SET SESSION AUTHORIZATION regress_alter_generic_user2;
ALTER TEXT SEARCH CONFIGURATION alt_ts_conf3 OWNER TO regress_alter_generic_user2; -- failed (not owner)
ERROR: must be owner of text search configuration alt_ts_conf3
ALTER TEXT SEARCH CONFIGURATION alt_ts_conf2 OWNER TO regress_alter_generic_user3; -- failed (no role membership)
-ERROR: must be member of role "regress_alter_generic_user3"
+ERROR: must be able to SET ROLE "regress_alter_generic_user3"
ALTER TEXT SEARCH CONFIGURATION alt_ts_conf3 SET SCHEMA alt_nsp2; -- failed (not owner)
ERROR: must be owner of text search configuration alt_ts_conf3
ALTER TEXT SEARCH CONFIGURATION alt_ts_conf2 SET SCHEMA alt_nsp2; -- failed (name conflict)
ALTER SERVER s8 OPTIONS (connect_timeout '30', SET dbname 'db1', DROP host);
SET ROLE regress_test_role;
ALTER SERVER s1 OWNER TO regress_test_indirect; -- ERROR
-ERROR: must be member of role "regress_test_indirect"
+ERROR: must be able to SET ROLE "regress_test_indirect"
RESET ROLE;
GRANT regress_test_indirect TO regress_test_role;
SET ROLE regress_test_role;
SET ROLE pg_read_all_settings;
RESET ROLE;
RESET SESSION AUTHORIZATION;
+REVOKE SET OPTION FOR pg_read_all_settings FROM regress_priv_user8;
+GRANT pg_read_all_stats TO regress_priv_user8 WITH SET FALSE;
+SET SESSION AUTHORIZATION regress_priv_user8;
+SET ROLE pg_read_all_settings; -- fail, no SET option any more
+ERROR: permission denied to set role "pg_read_all_settings"
+SET ROLE pg_read_all_stats; -- fail, granted without SET option
+ERROR: permission denied to set role "pg_read_all_stats"
+RESET ROLE;
+RESET SESSION AUTHORIZATION;
REVOKE pg_read_all_settings FROM regress_priv_user8;
DROP USER regress_priv_user10;
DROP USER regress_priv_user9;
DROP ROLE regress_group_direct_manager;
DROP ROLE regress_group_indirect_manager;
DROP ROLE regress_group_member;
+-- test SET and INHERIT options with object ownership changes
+CREATE ROLE regress_roleoption_protagonist;
+CREATE ROLE regress_roleoption_donor;
+CREATE ROLE regress_roleoption_recipient;
+CREATE SCHEMA regress_roleoption;
+GRANT CREATE, USAGE ON SCHEMA regress_roleoption TO PUBLIC;
+GRANT regress_roleoption_donor TO regress_roleoption_protagonist WITH INHERIT TRUE, SET FALSE;
+GRANT regress_roleoption_recipient TO regress_roleoption_protagonist WITH INHERIT FALSE, SET TRUE;
+SET SESSION AUTHORIZATION regress_roleoption_protagonist;
+CREATE TABLE regress_roleoption.t1 (a int);
+CREATE TABLE regress_roleoption.t2 (a int);
+SET SESSION AUTHORIZATION regress_roleoption_donor;
+CREATE TABLE regress_roleoption.t3 (a int);
+SET SESSION AUTHORIZATION regress_roleoption_recipient;
+CREATE TABLE regress_roleoption.t4 (a int);
+SET SESSION AUTHORIZATION regress_roleoption_protagonist;
+ALTER TABLE regress_roleoption.t1 OWNER TO regress_roleoption_donor; -- fails, can't be come donor
+ERROR: must be able to SET ROLE "regress_roleoption_donor"
+ALTER TABLE regress_roleoption.t2 OWNER TO regress_roleoption_recipient; -- works
+ALTER TABLE regress_roleoption.t3 OWNER TO regress_roleoption_protagonist; -- works
+ALTER TABLE regress_roleoption.t4 OWNER TO regress_roleoption_protagonist; -- fails, we don't inherit from recipient
+ERROR: must be owner of table t4
+RESET SESSION AUTHORIZATION;
+DROP TABLE regress_roleoption.t1;
+DROP TABLE regress_roleoption.t2;
+DROP TABLE regress_roleoption.t3;
+DROP TABLE regress_roleoption.t4;
+DROP SCHEMA regress_roleoption;
+DROP ROLE regress_roleoption_recipient;
+DROP ROLE regress_roleoption_donor;
+DROP ROLE regress_roleoption_donor;
+ERROR: role "regress_roleoption_donor" does not exist
SET ROLE pg_read_all_settings;
RESET ROLE;
+RESET SESSION AUTHORIZATION;
+REVOKE SET OPTION FOR pg_read_all_settings FROM regress_priv_user8;
+GRANT pg_read_all_stats TO regress_priv_user8 WITH SET FALSE;
+
+SET SESSION AUTHORIZATION regress_priv_user8;
+SET ROLE pg_read_all_settings; -- fail, no SET option any more
+SET ROLE pg_read_all_stats; -- fail, granted without SET option
+RESET ROLE;
+
RESET SESSION AUTHORIZATION;
REVOKE pg_read_all_settings FROM regress_priv_user8;
DROP ROLE regress_group_direct_manager;
DROP ROLE regress_group_indirect_manager;
DROP ROLE regress_group_member;
+
+-- test SET and INHERIT options with object ownership changes
+CREATE ROLE regress_roleoption_protagonist;
+CREATE ROLE regress_roleoption_donor;
+CREATE ROLE regress_roleoption_recipient;
+CREATE SCHEMA regress_roleoption;
+GRANT CREATE, USAGE ON SCHEMA regress_roleoption TO PUBLIC;
+GRANT regress_roleoption_donor TO regress_roleoption_protagonist WITH INHERIT TRUE, SET FALSE;
+GRANT regress_roleoption_recipient TO regress_roleoption_protagonist WITH INHERIT FALSE, SET TRUE;
+SET SESSION AUTHORIZATION regress_roleoption_protagonist;
+CREATE TABLE regress_roleoption.t1 (a int);
+CREATE TABLE regress_roleoption.t2 (a int);
+SET SESSION AUTHORIZATION regress_roleoption_donor;
+CREATE TABLE regress_roleoption.t3 (a int);
+SET SESSION AUTHORIZATION regress_roleoption_recipient;
+CREATE TABLE regress_roleoption.t4 (a int);
+SET SESSION AUTHORIZATION regress_roleoption_protagonist;
+ALTER TABLE regress_roleoption.t1 OWNER TO regress_roleoption_donor; -- fails, can't be come donor
+ALTER TABLE regress_roleoption.t2 OWNER TO regress_roleoption_recipient; -- works
+ALTER TABLE regress_roleoption.t3 OWNER TO regress_roleoption_protagonist; -- works
+ALTER TABLE regress_roleoption.t4 OWNER TO regress_roleoption_protagonist; -- fails, we don't inherit from recipient
+RESET SESSION AUTHORIZATION;
+DROP TABLE regress_roleoption.t1;
+DROP TABLE regress_roleoption.t2;
+DROP TABLE regress_roleoption.t3;
+DROP TABLE regress_roleoption.t4;
+DROP SCHEMA regress_roleoption;
+DROP ROLE regress_roleoption_recipient;
+DROP ROLE regress_roleoption_donor;
+DROP ROLE regress_roleoption_donor;
projects / users / gsingh / postgres.git / commitdiff