Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw,...
Transcript of Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw,...
![Page 1: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/1.jpg)
Application Authorization with SET ROLEAurynn Shaw, Command Prompt, Inc.
PGCon 2010
Thursday, May 20, 2010
![Page 2: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/2.jpg)
Hi
Thursday, May 20, 2010
![Page 3: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/3.jpg)
Hi
• Aurynn Shaw
• DBA/Lead Dev/PM/etc @ Command Prompt
Thursday, May 20, 2010
![Page 4: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/4.jpg)
And now I talk more
* Today we’re talking about AuthZ in PG* Benefits, drawbacks, and a quick implementation walkthrough* Why you should even be doing this
Thursday, May 20, 2010
![Page 5: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/5.jpg)
Permissions Systems
Thursday, May 20, 2010
![Page 6: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/6.jpg)
Permissions Systems
• Data I can access
Thursday, May 20, 2010
![Page 7: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/7.jpg)
Permissions Systems
• Data I can access
• Data I can’t access
* Postgres handles this through standard GRANT and REVOKE statements.
* Most app fabrics handle this away from the data.
Thursday, May 20, 2010
![Page 8: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/8.jpg)
App-focused Design* Easy enough to use the app to handle permissions* Few-no restrictions on application powers.* Permissions happen when the logic happens
Thursday, May 20, 2010
![Page 9: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/9.jpg)
Data Layer Disconnect* App-focus development treats the DB as a dumb store* Because the app embodies the AuthZ, the data fabric is at its most malleable. * Nothing stops a malicious, or badly-written app from unlimited data modification* Relying on a limited number of eyeballs to look for bugs
Thursday, May 20, 2010
![Page 10: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/10.jpg)
DB-focused Design* Much tighter binding to the data layer* We can put permissions into the database, GRANT and REVOKE! Not a problem!* Creating a user, not a problem. Everything can just work!
Thursday, May 20, 2010
![Page 11: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/11.jpg)
AuthZ is closely coupled to your login
* Poolers, especially, have only a defined login* Forced into the broadest permissions set available* Can’t attempt to restrict the data malleability - everything your app needs to do, your login has to be able to do, regardless of whether the user should.
Thursday, May 20, 2010
![Page 12: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/12.jpg)
Wait, I lied.* Your login DOES embody your core permissions, but,there’s this great permissions-swapping feature in PG.
Thursday, May 20, 2010
![Page 13: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/13.jpg)
SET ROLE TO stun;
* I’ve seen this before! It’s like a Unix system!* So, SET ROLE is the funky mojo* Similar to SET AUTHORIZATION* Can be unwound - a very valuable aspect.
Hey, this is in the talk title!
Thursday, May 20, 2010
![Page 14: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/14.jpg)
Can only switch to roles already in your
treeonly allows you to become roles you would have been able to be already - you can’t just become a superuser, unless you already are one.* By default, all the roles you have are already part of your user
Thursday, May 20, 2010
![Page 15: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/15.jpg)
Why SET ROLE is interesting
* Can swap permissions dynamically, without compromising the base connection* Vital in any pooled environment - long-lived connections don't need to be reset.* Trusted apps can easily set the data fabric to just the permissions they need* Can never exceed base fabric permissions
Thursday, May 20, 2010
![Page 16: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/16.jpg)
Transactional, too!* Single transactions can be in their own permissions space* Automatic, implicit RESET ROLE command on ROLLBACK
Thursday, May 20, 2010
![Page 17: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/17.jpg)
Transactional, too!
template1=# BEGIN;BEGINtemplate1=# SET ROLE test;SETtemplate1=> ROLLBACK;ROLLBACKtemplate1=#
A quick example.
Thursday, May 20, 2010
![Page 18: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/18.jpg)
Transactional, too!test=> BEGIN;
BEGIN
test=> SET ROLE test;
SET
test=> SELECT * FROM test;
--
(0 rows)
test=> ROLLBACK;
ROLLBACK
test=> SELECT * FROM test;
ERROR: permission denied for relation test
And another
Thursday, May 20, 2010
![Page 19: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/19.jpg)
Well, partly.
template1=# BEGIN;BEGINtemplate1=# SET ROLE test;SETtemplate1=> COMMIT;COMMITtemplate1=>
So it doesn’t quite work like you’d expect for a committed transaction.
Thursday, May 20, 2010
![Page 20: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/20.jpg)
So always RESET ROLE
template1=# BEGIN;BEGINtemplate1=# SET ROLE test;SETtemplate1=> COMMIT;COMMITtemplate1=> RESET ROLE;RESETtemplate1=#
So it doesn’t quite work like you’d expect for a committed transaction.
Thursday, May 20, 2010
![Page 21: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/21.jpg)
Our Why* Explored this to support a large Web application with very clear-cut access rules: A resource either is or isn’t accessible.
* In-app frameworks were insufficient - and not useful when we needed external software- Rewriting perms is a pain.
Thursday, May 20, 2010
![Page 22: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/22.jpg)
Other Cool Whys* Single definition of our permissions model, as close to the relevant data as possible.
* Don't Repeat Yourself
* Non-trusted clients can't manipulate your data fabric beyond your whim - you already have strong permissions on the data itself.
Thursday, May 20, 2010
![Page 23: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/23.jpg)
But there’s all those other permissions
systems...
* Lots, in a variety of languages* Including that one you’re working on right now* And that other one YOU LOVE.* Should you use them? They work, to a point* Valuable aspect of the permissions setup* Exclusive use ends up looking like THIS
Thursday, May 20, 2010
![Page 24: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/24.jpg)
This
• Data I can access
• Data I can’t access
• Data I shouldn’t access, but can
* Normal pooled application, single credentials relies on app to handle auth* Never more than a strong warning about not using a resource, and some unfriendly language from your DBA.
Thursday, May 20, 2010
![Page 25: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/25.jpg)
Principle of Least Permission
* You should never have more ability than you need.* Any time you do, Bad Things can happen.* In-app permissions systems tend to violate this
Stolen from Steven Frost
Thursday, May 20, 2010
![Page 26: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/26.jpg)
Implementation(it’s easy)
So, let’s look at how to go about implementing a SET ROLE-based system in your application framework.It’s surprisingly easy to do, too!Let’s begin.
Thursday, May 20, 2010
![Page 27: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/27.jpg)
GRANT and Revoke
First, a fairly core component is that you have to go through and GRANT, and REVOKE the various tables and views and suchly that make up your database.
Thursday, May 20, 2010
![Page 28: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/28.jpg)
REVOKEtest=# CREATE TABLE test ();CREATE TABLEtest=# REVOKE ALL ON test FROM PUBLIC;REVOKEtest=# SET ROLE TO test;SETtest=> SELECT * FROM test;ERROR: permission denied for relation testtest=>
A simple REVOKE example.
Thursday, May 20, 2010
![Page 29: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/29.jpg)
GRANTtest=> SET ROLE TO aurynn;SETtest=# GRANT ALL ON test TO test;GRANTtest=# SET ROLE TO test;SETtest=> SELECT * FROM test;--(0 rows)test=>
And a GRANT
Thursday, May 20, 2010
![Page 30: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/30.jpg)
A Permissions Tree
Next, a permissions tree.This aspect of a SET ROLE design is really, really, really dependent on your application structure.To really get the most benefit from a SET ROLE environment, you should spend some time laying out every single last permission that you want to have - as fine-grained as you can. This ends up being very valuable later, when you need to add less trustworthy clients.
Thursday, May 20, 2010
![Page 31: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/31.jpg)
A Permissions Tree
CREATE ROLE content_read NOLOGIN;CREATE ROLE content_write NOLOGIN;CREATE ROLE content_delete NOLOGIN;
Thursday, May 20, 2010
![Page 32: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/32.jpg)
A Permissions Tree
CREATE ROLE user_base NOLOGIN;GRANT content_read TO user_base;GRANT content_write TO user_base;CREATE ROLE admin_base NOLOGIN;GRANT content_delete TO admin_base;GRANT user_base TO admin_base;
Thursday, May 20, 2010
![Page 33: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/33.jpg)
Your final node pointsuser, admin, moderator, etc.
Your final node points are the specific roles that a given user is going to be granted into - users, moderators, administrators, whatever. Your software would then issue SET ROLE TO your_user_role at the beginning of your transaction.
Caveat: Custom permissions are hard.
Thursday, May 20, 2010
![Page 34: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/34.jpg)
Permissions Endpoints
CREATE USER user NOINHERIT;GRANT user_base TO user;CREATE USER admin NOINHERIT;GRANT admin_base TO admin;
Thursday, May 20, 2010
![Page 35: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/35.jpg)
NOINHERIT
The next piece is NOINHERIT. Right now, without this, you’d not exactly be restricting your permissions set - just granting the full set of useful permissions to a more limited, non-superuser user.Pretty much exactly the same as before.
With NOINHERIT, we mark that those endpoint roles that we just defined aren’t applied to our login role - we have to explicitly SET ROLE to grab those permissions.
Thursday, May 20, 2010
![Page 36: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/36.jpg)
A fully REVOKE’d, login user
* The credentials that the application/pooler/whatever uses to connect.* This has pretty much every single possible permission, removed. All this role can do is SET ROLE to a different role, and pick up those permissions.* By default, no connections can actually do anything useful.
Thursday, May 20, 2010
![Page 37: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/37.jpg)
Application Modifications
Lastly, modify your application. It’s somewhat obvious, but it has to be said.
Thursday, May 20, 2010
![Page 38: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/38.jpg)
It’s just that easy!
You’ve now successfully integrated a SET ROLE-based permissions system into your application.It’s just that easy.
Thursday, May 20, 2010
![Page 39: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/39.jpg)
It’s not quite that easy
Well, it’s almost that easy. There are some bits that you do have to pay attention to, that you wouldn’t otherwise
I lied again.
Thursday, May 20, 2010
![Page 40: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/40.jpg)
It’s not quite that easy
• You have to catch permissions errors
At least in Python’s psycopg2, permissions errors aren’t mapped to something useful - you have to handle it yourself.
Thursday, May 20, 2010
![Page 41: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/41.jpg)
Plug, the shameless kind
• Exceptable, an exception-trapping library for Python
Thursday, May 20, 2010
![Page 42: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/42.jpg)
Plug, the shameless kind
• Exceptable, an exception-trapping library for Python
• Turns PG exceptions into smarter Python exceptions.
Thursday, May 20, 2010
![Page 43: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/43.jpg)
Plug, the shameless kind
• Exceptable, an exception-trapping library for Python
• Turns PG exceptions into smarter Python exceptions.
• We could use help with this - other language support &c.
Thursday, May 20, 2010
![Page 44: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/44.jpg)
It’s not quite that easy
• You have to catch permissions errors
• It’s really coarsely grained
For one, this is fairly coarse-grained - you can restrict tables, but not individualrows in those tables. For that, there's nothing to be done but write a stored procedure,or a view that checks whether or not the user *can* read those roles.
The same applies for writes, obviously - but, that's a bit easier to solve with triggers toverify per-row permissions, as opposed to the per-table permissions.
Thursday, May 20, 2010
![Page 45: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/45.jpg)
It’s not quite that easy
• You have to catch permissions errors
• It’s really coarsely grained
• Requires modifications to the DB interface
* You need to add the SET ROLE mojo before you start running queries
Thursday, May 20, 2010
![Page 46: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/46.jpg)
It’s not quite that easy
• You have to catch permissions errors
• It’s really coarsely grained
• Requires modifications to the DB interface
• Adds additional wire traffic
You actually have to send the SET ROLE and possibly RESET ROLE commands.
Thursday, May 20, 2010
![Page 47: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/47.jpg)
It’s not quite that easy
• You have to catch permissions errors
• It’s really coarsely grained
• Requires modifications to the DB interface
• Adds additional wire traffic
• Just as vulnerable to SQL injection as you were before
This doesn’t give you any real additional protection against SQL injection attacks - it’s pretty much security-by-obscurity at best, by requiring SET ROLE before your injection.It does, however, grant you protection against random DELETE and DROP crap, which is good for something.
Thursday, May 20, 2010
![Page 48: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/48.jpg)
So always sanitize your inputs.
It’s just good data hygiene. Like brushing your teeth.
Thursday, May 20, 2010
![Page 49: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/49.jpg)
It’s not quite that easy
• You have to catch permissions errors
• It’s really coarsely grained
• Requires modifications to the DB interface
• Adds additional wire traffic
• Just as vulnerable to SQL injection as you were before
• Not entirely transactional
As I showed you before, it’s not really transactional - you have to pay pretty close attention to your RESET ROLE statements.
Thursday, May 20, 2010
![Page 50: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/50.jpg)
set session_authorization
* The difference between SET ROLE and SET session_auth is a matter of semantics, mostly - both achieve the same effect.* set session_authorization changes what roles are available to SET to, though
Thursday, May 20, 2010
![Page 51: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/51.jpg)
set session_authorizationtest=# SET SESSION_AUTHORIZATION TO pgcon;SETtest=> SET ROLE TO aurynn;ERROR: permission denied to set role "aurynn"test=> SET SESSION_AUTHORIZATION TO aurynn;SETtest=#
* Remarkably similar* alters what roles are reachable from future SET ROLE requests.* Useful from perspective of additonal layers of restriction over the connection
Thursday, May 20, 2010
![Page 52: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/52.jpg)
So that’s it.Any questions?
Thursday, May 20, 2010
![Page 53: Application Authorization with SET ROLE · Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Thursday, May 20, 2010. Hi ... through standard GRANT](https://reader031.fdocuments.net/reader031/viewer/2022040903/5e7565066485412c5842134e/html5/thumbnails/53.jpg)
Thank you!
Slides will be available.
Thursday, May 20, 2010