The PostgreSQL permissions machinery is a pretty powerful thing. It allows people to come up with wonderful permission systems. In addition to that it is still reasonably simple to use. However, there are always some corner cases, which are often forgotten or simple not discovered by end users.
Table of Contents
In PostgreSQL a role can inherit permissions from another role. The INHERIT keywords ensure that permissions are passed on from role to role. This works perfectly and it is widely accepted by end users.
However, there is a little catch. Consider the following example:
1 2 3 4 5 6 7 8 |
test=# CREATE ROLE x NOLOGIN INHERIT SUPERUSER; CREATE ROLE test=# CREATE ROLE y LOGIN INHERIT NOSUPERUSER; CREATE ROLE test=# GRANT x TO y; GRANT ROLE |
In this case two roles are created. One role is marked as superuser and the other role is just an ordinary user. So far there is nothing special.
Let's create a simple table:
1 2 |
test=# CREATE TABLE t_test (id int); CREATE TABLE |
Now let us see, what INHERIT does. “x” is set to NOLOGIN so “x” cannot connect to the database:
1 2 |
[hs@localhost pgtest]$ psql test -U x psql: FATAL: role 'x' is not permitted to log in |
“y” can log into the database nicely because it has permissions to do so:
1 2 3 |
[hs@localhost pgtest]$ psql test -U y psql (9.5rc1) Type 'help' for help. |
Again, no surprises. However, it is surprising that “y” is not able to drop a table. Remember, “x” (= superuser) has been granted to “y” before. In PostgreSQL SUPERUSER, CREATEDB, and CREATEROLE are never inherited. In other words: Somebody can inherit from a superuser without actually being able to act as a superuser later on:
1 2 |
test=> DROP TABLE t_test; ERROR: must be owner of relation t_test |
However, there is SET ROLE: A user may decide to act as a different role granted to him:
1 2 |
test=> SET ROLE x; SET |
In this case we see that the table can indeed be dropped:
1 2 |
test=# DROP TABLE t_test; DROP TABLE |
By “downgrading” himself it can actually happen that there are more permissions available than before.
For more info on permissions/ privileges, see the following blogs:
In order to receive regular updates on important changes in PostgreSQL, subscribe to our newsletter, or follow us on Facebook or LinkedIn.
You need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Facebook. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from X. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information
Leave a Reply