Обсуждение: Why do i need to install set_user extension if i can directly grant all required privileges to user?
Why do i need to install set_user extension if i can directly grant all required privileges to user?
> On 20/06/2023 13:33 CEST Bhasker Bathini <onelargepeg@gmail.com> wrote: > > Hi , i was wondering, why do i need to install set_user extension when i can > grant all the privileges to user directly? Are you talking about https://github.com/pgaudit/set_user ? I never used this extension but after skimming over the readme it looks like a replacement for SET ROLE and SET SESSION AUTHORIZATION with logging for audit purposes. > Is there any advantage or any scenario where i can only perform having > set_user grants? Changing roles is already possible in Postgres. You must be a member of the target role or be a superuser in order to change roles. I don't know if the set_user extension behaves identical to SET ROLE etc. because it also supports whitelisting of target roles and superusers. The extension may be relevant to you if the whitelist feature or auditing is a requirement for your project. But I'm not sure if the whitelist feature bypasses the membership requirement imposed by SET ROLE or if you still have to grant memberships to target roles. -- Erik
Changing roles is already possible in Postgres. You must be a member of the target role or be a superuser in order to change roles.
This is going to change in detail as of version 16 of PostgreSQL. You may determine whether a role switch is allowed or not.
Excerpt from https://www.postgresql.org/docs/16/sql-grant.html:
"The SET
option, if it is set to TRUE
, allows the member to change to the granted role using the SET ROLE
command. If a role is an indirect member of another role, it can use SET ROLE
to change to that role only if there is a chain of grants each of which has SET TRUE
. This option defaults to TRUE
."
-- Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012
Вложения
Am 21.06.23 um 15:33 schrieb Erik Wienhold:Changing roles is already possible in Postgres. You must be a member of the target role or be a superuser in order to change roles.This is going to change in detail as of version 16 of PostgreSQL. You may determine whether a role switch is allowed or not.
Excerpt from https://www.postgresql.org/docs/16/sql-grant.html:
"The
SET
option, if it is set toTRUE
, allows the member to change to the granted role using theSET ROLE
command. If a role is an indirect member of another role, it can useSET ROLE
to change to that role only if there is a chain of grants each of which hasSET TRUE
. This option defaults toTRUE
."
-- Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012
Hi , i was wondering, why do i need to install set_user extension when i can grant all the privileges to user directly?
On 6/21/23 10:38, Bhasker Bathini wrote: > Thank you for the quick response. > > What if i can grant all the required privileges or even making the user > a superuser, why do i need set_user ? > > Does set_user is just to make sure users with direct privileges wont > accidently modify critical information/parameters unless they set the > session to elevated privileged role to perform the operation? > > I am not able to find a reason why i need set_user extension? There are two main use cases for set_user: 1/ Allow an unprivileged admin role to escalate to superuser, but (to the extent possible) ensure every command issued is logged for audit purposes. It can also block things like COPY PROGRAM and ALTER SYSTEM that might allow them to do things you do not wish to allow. Once escalated, there are ways they could bypass the controls, but the act of bypassing itself would get logged, so if you monitor and alert you would catch it. 2/ Allow a single unprivileged role to be used to switch to other unprivileged roles, without having to grant all of them, and with the ability to set a random token so that switching back (and thus to indirectly other roles) requires the token. Think in terms of a web app that uses a single role to log in but then switches to a actual users role. Or a proxy or load balancer of sorts. -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com
On Wed, Jun 21, 2023 at 7:50 AM Bhasker Bathini <onelargepeg@gmail.com> wrote:Hi , i was wondering, why do i need to install set_user extension when i can grant all the privileges to user directly?Surely you don't need to install set_user in general. Indeed, I've never even heard of it before.Maybe you need it for some specific use, but you didn't describe anything about what you are doing.Cheers,Jeff