Обсуждение: Why do i need to install set_user extension if i can directly grant all required privileges to user?

> On 20/06/2023 13:33 CEST Bhasker Bathini <onelargepeg@gmail.com> wrote:
>
> Hi , i was wondering, why do i need to install set_user extension when i can
> grant all the privileges to user directly?

Are you talking about https://github.com/pgaudit/set_user ?

I never used this extension but after skimming over the readme it looks like
a replacement for SET ROLE and SET SESSION AUTHORIZATION with logging for audit
purposes.

> Is there any advantage or any scenario where i can only perform having
> set_user grants?

Changing roles is already possible in Postgres.  You must be a member of the
target role or be a superuser in order to change roles.  I don't know if the
set_user extension behaves identical to SET ROLE etc. because it also supports
whitelisting of target roles and superusers.

The extension may be relevant to you if the whitelist feature or auditing is
a requirement for your project.  But I'm not sure if the whitelist feature
bypasses the membership requirement imposed by SET ROLE or if you still have
to grant memberships to target roles.

--
Erik

Changing roles is already possible in Postgres.  You must be a member of the
target role or be a superuser in order to change roles. 

This is going to change in detail as of version 16 of PostgreSQL. You may determine whether a role switch is allowed or not.

Excerpt from https://www.postgresql.org/docs/16/sql-grant.html:

"The SET option, if it is set to TRUE, allows the member to change to the granted role using the SET ROLE command. If a role is an indirect member of another role, it can use SET ROLE to change to that role only if there is a chain of grants each of which has SET TRUE. This option defaults to TRUE."

-- 
Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012

On 6/21/23 10:38, Bhasker Bathini wrote:
> Thank you for the quick response.
> 
> What if i can grant all the required privileges or even making the user 
> a superuser, why do i need set_user ?
> 
> Does set_user is just to make sure users with direct privileges wont 
> accidently modify critical information/parameters unless they set the 
> session to elevated privileged role to perform the operation?
> 
> I am not able to find a reason why i need set_user extension?

There are two main use cases for set_user:

1/ Allow an unprivileged admin role to escalate to superuser, but (to 
the extent possible) ensure every command issued is logged for audit 
purposes. It can also block things like COPY PROGRAM and ALTER SYSTEM 
that might allow them to do things you do not wish to allow. Once 
escalated, there are ways they could bypass the controls, but the act of 
bypassing itself would get logged, so if you monitor and alert you would 
catch it.

2/ Allow a single unprivileged role to be used to switch to other 
unprivileged roles, without having to grant all of them, and with the 
ability to set a random token so that switching back (and thus to 
indirectly other roles) requires the token. Think in terms of a web app 
that uses a single role to log in but then switches to a actual users 
role. Or a proxy or load balancer of sorts.



-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com