PG-853: Access control of pg_tde SQL functions #277
Conversation
Add SQL interfaces for granting and revoking access to key management and viewer
functions. This commit introduces four new SQL functions to manage access to
key-related functionalities in the `pg_tde` extension:
- `tde_grant_key_management_to_role`: Grants execute permissions on key
management functions to the specified user or role.
- `tde_revoke_key_management_from_role`: Revokes execute permissions on
key management functions from the specified user or role.
- `tde_grant_key_viewer_to_role`: Grants execute permissions on key
viewer functions to the specified user or role.
- `tde_revoke_key_viewer_from_role`: Revokes execute permissions on
key viewer functions from the specified user or role.
Additionally, upon creating the extension, all execute permissions are revoked
from the `PUBLIC` role. Therefore, a superuser must explicitly grant the
necessary permissions to non-superusers to access these functions after the
extension is created.
These additions provide a more controlled and secure way to manage permissions
for key management and viewer functionalities within the extension.
| PGTDE::append_to_file("-- pg_tde_set_principal_key should also fail"); | ||
| ($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');", extra_params => ['-a', '-U', 'test_access']); | ||
| PGTDE::append_to_file($stderr); |
There was a problem hiding this comment.
I'd also check if there is no access for the pg_tde_rotate_principal_key
pg_tde--1.0.sql
Outdated
| PERFORM tde_grant_execute_privilege_on_function(target_user_or_role, 'pg_tde_list_all_key_providers', 'OUT INT, OUT varchar, OUT varchar, OUT JSON'); | ||
| PERFORM tde_grant_execute_privilege_on_function(target_user_or_role, 'pg_tde_is_encrypted', 'VARCHAR'); | ||
|
|
||
| PERFORM tde_grant_execute_privilege_on_function(target_user_or_role, 'pg_tde_principal_key_info_internal', 'BOOLEAN'); | ||
| PERFORM tde_grant_execute_privilege_on_function(target_user_or_role, 'pg_tde_principal_key_info', ''); | ||
| PERFORM tde_grant_execute_privilege_on_function(target_user_or_role, 'pg_tde_principal_key_info', 'pg_tde_global'); |
There was a problem hiding this comment.
Should we use just
PERFORM tde_grant_key_viewer_to_role(target_user_or_role);instead? It'll be easier to read and maintain both functions as for me
|
Another question: I mean, shouldn't revoke access to |
|
Why |
This commit includes the following updates: - Updated the prefix of newly added function names from `tde_` to `pg_tde_`. - Enhanced the `access_control` test case to also verify permissions for the `rotate_key`, `..list_key_providers`, and `key_info` functions.
The reason I'm performing the grant/revoke on every function is to ensure that if a "permission denied" error occurs, it reflects the name of the function the user actually called. Simply revoking access from the *_internal function would also trigger a permission denied error, but it would always refer to the internal function that the user did not directly execute. |
Add SQL interfaces for granting and revoking access to key management and viewer functions. This commit introduces four new SQL functions to manage access to key-related functionalities in the
pg_tdeextension:tde_grant_key_management_to_role: Grants execute permissions on key management functions to the specified user or role.tde_revoke_key_management_from_role: Revokes execute permissions on key management functions from the specified user or role.tde_grant_key_viewer_to_role: Grants execute permissions on key viewer functions to the specified user or role.tde_revoke_key_viewer_from_role: Revokes execute permissions on key viewer functions from the specified user or role.Additionally, upon creating the extension, all execute permissions are revoked from the
PUBLICrole. Therefore, a superuser must explicitly grant the necessary permissions to non-superusers to access these functions after the extension is created.These additions provide a more controlled and secure way to manage permissions for key management and viewer functionalities within the extension.