From 5fdcc9dc1008fd86e48e5540b8278730d6963a9a Mon Sep 17 00:00:00 2001
From: "Karl O. Pinc" <kop@karlpinc.com>
Date: Tue, 21 Jan 2025 14:31:31 -0600
Subject: [PATCH] Introduce a role_owner group into the PG permission system

This new role is used to assign permissions.  (The permissions granted
by membership in other roles.)  This prevents users from losing their
permissions when the creating role is dropped, as when an
administrator leaves.  It pushes the chicken-and-egg problem back to
the administrator level.  This is then handled by saying in the docs:
"Don't use a role that will go away when creating administrators."
---
 bin/sokwedb-user-add.m4             |  68 +++++++----
 bin/sokwedb-user-delete.m4          |  19 +++-
 db/creategroups.m4                  |  48 +++++++-
 doc/src/architecture.m4             |   1 +
 doc/src/architecture/permissions.m4 | 101 +++++++++++++++++
 doc/src/architecture/users.m4       | 170 +++++++++++++++++-----------
 include/global_constants.m4         |   1 +
 7 files changed, 317 insertions(+), 91 deletions(-)
 create mode 100644 doc/src/architecture/permissions.m4

diff --git a/bin/sokwedb-user-add.m4 b/bin/sokwedb-user-add.m4
index a77d13f..f9167ad 100644
--- a/bin/sokwedb-user-add.m4
+++ b/bin/sokwedb-user-add.m4
@@ -1,5 +1,6 @@
 #!/bin/sh
-# Copyright (C) 2012, 2023 The Meme Factory, Inc.  http://www.karlpinc.com/
+# Copyright (C) 2012, 2023, 2025 The Meme Factory, Inc.
+#           http://www.karlpinc.com/
 # Copyright (C) 2005, 2008, 2011 Karl O. Pinc <kop@karlpinc.com>
 #
 #   This program is free software: you can redistribute it and/or modify
@@ -97,49 +98,74 @@ fi
 
 if [ -n "$ADMIN" ] ; then
   psql $HOSTARGS -U $A_ADMINUSER -d template1 <<EOF
-create role $A_USER login createrole createdb password '$A_USER';
-grant sdb_admin_group
-    , pg_read_all_data
-    , pg_write_all_data
-    , pg_monitor
-    , pg_read_all_settings
-    , pg_read_all_stats
-    , pg_stat_scan_tables
-    , pg_signal_backend
-    , pg_checkpoint
-      TO $A_USER;
+begin;
+-- Allow the new admin to create other admins, even after the
+-- creating admin is gone.
+-- (Can't be done -- have a 2nd role that creates all the roles
+--  and "owns" them.)
+create role $A_USER login createrole createdb bypassrls password '$A_USER';
+set role sdb_role_owner;
+grant sdb_admin_group to $A_USER with admin option;
+reset role;
+grant sdb_role_owner to $A_USER with admin option;
 $AZURE_GRANTS
+commit;
 \q
 EOF
 elif [ -n "$DEV" ] ; then
   psql $HOSTARGS -U $A_ADMINUSER -d template1 <<EOF
-create role $A_USER login createrole createdb password '$A_USER';
-grant sdb_admin_group to $A_USER;
+begin;
+set role to pdb_role_owner;
+create role $A_USER login password '$A_USER';
+grant pdb_admin_group to $A_USER;
+reset role;
+alter role $A_USER createdb bypassrls;
+commit;
 \q
 EOF
 else
   psql $HOSTARGS -U $A_ADMINUSER -d sokwedb <<EOF
 begin;
-create user $A_USER password '$A_USER';
+set role to sdb_role_owner;
+create user $A_USER login password '$A_USER';
+grant $A_USER to sdb_role_owner;
 alter group $A_GROUP add user $A_USER;
-grant $A_USER TO $A_ADMINUSER;
+grant $A_USER to sdb_admin_group with admin option;
+reset role;
+set role to sdb_admin_group;
 create schema $A_USER authorization $A_USER;
 grant usage on schema $A_USER to public;
-revoke $A_USER FROM $A_ADMINUSER;
+reset role;
+set role to sdb_role_owner;
+revoke $A_USER from sdb_admin_group;
+revoke $A_USER FROM sdb_role_owner;
+reset role;
 commit;
 \c sokwedb_test
 begin;
-grant $A_USER TO $A_ADMINUSER;
+set role to sdb_role_owner;
+grant $A_USER TO sdb_admin_group with admin option;
+reset role;
+set role to sdb_admin_group;
 create schema $A_USER authorization $A_USER;
 grant usage on schema $A_USER to public;
-revoke $A_USER FROM $A_ADMINUSER;
+reset role;
+set role to sdb_role_owner;
+revoke $A_USER from sdb_admin_group;
+reset role;
 commit;
 \c sokwedb_dev
 begin;
-grant $A_USER TO $A_ADMINUSER;
+set role to sdb_role_owner;
+grant $A_USER TO sdb_admin_group with admin option;
+reset role;
+set role to sdb_admin_group;
 create schema $A_USER authorization $A_USER;
 grant usage on schema $A_USER to public;
-revoke $A_USER FROM $A_ADMINUSER;
+reset role;
+set role to sdb_role_owner;
+revoke $A_USER FROM sdb_admin_group;
+reset role;
 commit;
 \q
 EOF
diff --git a/bin/sokwedb-user-delete.m4 b/bin/sokwedb-user-delete.m4
index 3d2c32d..0d6aa6a 100644
--- a/bin/sokwedb-user-delete.m4
+++ b/bin/sokwedb-user-delete.m4
@@ -1,5 +1,6 @@
 #!/bin/sh
-# Copyright (C) 2012, 2023 The Meme Factory, Inc.  http://www.karlpinc.com/
+# Copyright (C) 2012, 2023, 2025 The Meme Factory, Inc.
+#               http://www.karlpinc.com/
 # Copyright (C) 2005, 2008, 2011 Karl O. Pinc <kop@karlpinc.com>
 #
 #   This program is free software: you can redistribute it and/or modify
@@ -61,13 +62,29 @@ export A_USER=$2
 if [ -z "$ADMIN" ] ; then
 psql $HOSTARGS -U $A_ADMINUSER -d sokwedb_dev <<EOF
 -- We start in sokwedb_dev
+begin;
+set role pdb_role_owner;
+set role $A_USER;
 drop schema if exists $A_USER cascade;
+reset role;
+reset role;
+commit;
 \c sokwedb_test
+begin;
+set role pdb_role_owner;
+set role $A_USER;
 drop schema if exists $A_USER cascade;
+reset role;
+reset role;
+commit;
 \c sokwedb
 begin;
+set role pdb_role_owner;
+set role $A_USER;
 drop schema if exists $A_USER cascade;
+reset role;
 drop role $A_USER;
+reset role;
 commit;
 EOF
 else
diff --git a/db/creategroups.m4 b/db/creategroups.m4
index f7c23a4..5549f55 100644
--- a/db/creategroups.m4
+++ b/db/creategroups.m4
@@ -1,4 +1,4 @@
-dnl Copyright (C) 2023 The Meme Factory, Inc. http://www.karlpinc.com/
+dnl Copyright (C) 2023, 2025 The Meme Factory, Inc. http://www.karlpinc.com/
 dnl
 dnl This program is free software: you can redistribute it and/or modify
 dnl it under the terms of the GNU Affero General Public License as published by
@@ -29,15 +29,55 @@ include(`copyright.m4')
 include(`constants.m4')
 dnl
 
-CREATE ROLE sdb_admin_group NOLOGIN CREATEDB CREATEROLE;
+-- The CREATEDB and BYPASSRLS attributes are removed later.
+-- NOINHERIT is necessary so that when sdb_role_owner is
+-- made a member of sdb_admin_group it does not get the
+-- groups permissions, but can have WITH ADMIN.
+CREATE ROLE sdb_role_owner NOLOGIN NOINHERIT CREATEROLE CREATEDB BYPASSRLS;
+
+SET ROLE sdb_role_owner;
+CREATE ROLE sdb_admin_group NOLOGIN CREATEDB BYPASSRLS;
+CREATE ROLE sdb_reader NOLOGIN;
+CREATE ROLE sdb_writer NOLOGIN;
+
+RESET ROLE;
+ALTER ROLE sdb_role_owner NOCREATEDB NOBYPASSRLS;
+
+-- Grant maximal (non-superuser) access by way of PG pre-defined roles
+DO $$
+  DECLARE ver INT := CURRENT_SETTING('server_version_num');
+  BEGIN
+    IF ver >= 140000 THEN
+      GRANT pg_read_all_data
+          , pg_write_all_data
+          , pg_read_all_settings
+          , pg_read_all_stats
+          , pg_stat_scan_tables
+          , pg_monitor
+          , pg_signal_backend
+          , pg_read_server_files
+          , pg_write_server_files
+          , pg_execute_server_program
+          , pg_checkpoint TO sdb_admin_group
+        WITH ADMIN OPTION;
+    ELSIF ver >= 160000 THEN
+      GRANT pg_use_reserved_connections
+          , pg_create_subscription TO sdb_admin_group
+        WITH ADMIN TRUE;
+    ELSIF ver >= 170000 THEN
+      GRANT pg_maintain TO sdb_admin_group
+        WITH ADMIN TRUE;
+    END IF;
+  END;
+$$;
 COMMENT ON ROLE sdb_admin_group IS
         'Role membership grants maximal SokweDB permissions';
 
-CREATE ROLE sdb_reader NOLOGIN;
 COMMENT ON ROLE sdb_reader IS
         'Role membership grants read access to SokweDB data';
 
-CREATE ROLE sdb_writer NOLOGIN;
 COMMENT ON ROLE sdb_writer IS
         'Role membership grants read/write access to SokweDB data';
 
+RESET ROLE;
+
diff --git a/doc/src/architecture.m4 b/doc/src/architecture.m4
index c22f043..8a3b138 100644
--- a/doc/src/architecture.m4
+++ b/doc/src/architecture.m4
@@ -35,6 +35,7 @@ and is configured with that in mind.\ [#f2]_
    architecture/databases.rst
    architecture/special_values.rst
    architecture/timestamps.rst
+   architecture/permissions.rst
    architecture/users.rst
    architecture/schemas.rst
 
diff --git a/doc/src/architecture/permissions.m4 b/doc/src/architecture/permissions.m4
new file mode 100644
index 0000000..33ce799
--- /dev/null
+++ b/doc/src/architecture/permissions.m4
@@ -0,0 +1,101 @@
+.. Copyright (C) 2019, 2023, 2025  The Meme Factory, Inc.  www.karlpinc.com
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as
+   published by the Free Software Foundation, either version 3 of the
+   License, or (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+.. M4 setup
+include(constants.m4)dnl
+include(macros.m4)dnl
+pdb_rst_quotes(`on')dnl
+pdb_generated_rst()dnl
+
+.. _database_permission_levels:
+
+Database Permission Levels
+--------------------------
+
+The database associates each login with specific permissions to
+objects (tables, etc.) within the database.\ [#f1]_
+
+To access the data in the database permission must be
+granted.  This is done per user login.
+
+There are 2 ordinary levels of permission.  Their names are:
+
+``pdb_reader``
+   Permission to query database content.
+
+``pdb_writer``
+   All the permissions of ``pdb_reader`` plus permission to alter
+   the content of the database.
+
+Ordinary permissions are database :dfn:`roles`.
+
+
+.. _changing_a_user_s_permissions:
+
+Changing A User's Permissions
+`````````````````````````````
+Normally, users are given the desired level of access when their login
+is created using SOKWEDB administration tools.
+There are various ways permissions can be granted or changed.
+One way is with SQL\ [#f2]_, e.g.::
+
+   GRANT pdb_reader TO someuser;
+
+
+.. _the_administrator_permission_level:
+
+The Administrator Permission Levels
+```````````````````````````````````
+
+Administrators are in two groups, ``pdb_role_owner`` and
+``pdb_admin_group``.
+The ``pdb_admin_group`` permission level has near-maximal permissions.
+It owns all database objects.
+The ``pdb_role_owner`` group manages all roles and has permission to
+create new users.\ [#f3]_
+
+It is the ``pdb_admin_group`` role that owns all the SOKWEDB database
+objects, the tables, views, etc.
+
+As PostgreSQL_ introduces new `pre-defined roles`_ the
+``pdb_admin_group`` should be added as a member of those roles.
+This will give all administrators the requisite additional access.
+
+.. _pre-defined roles:
+   https://www.postgresql.org/docs/current/predefined-roles.html
+
+.. _PostgreSQL roles:
+   https://www.postgresql.org/docs/current/user-manag.html
+
+.. rubric:: Footnotes
+
+.. [#f1] These are implemented as `PostgreSQL roles`_, and can be
+         thought of as groups in which user logins are placed to grant
+         them permissions.
+
+.. [#f2] SQL is ordinarily only used to change a login's permission
+         level.
+
+.. [#f3] The ``pdb_role_owner`` group exists only because roles do not
+         have ``WITH ADMIN TRUE`` on themselves.
+         So the ``pdb_admin_group`` role cannot grant the ability to
+         become itself to administrators, who need to be able to
+         become ``pdb_admin_group`` when creating database objects.
+         A second role is needed to grant the ``pdb_admin_group``
+         group ``WITH ADMIN TRUE`` to administrators.
+         This second role must have ``WITH ADMIN`` on the
+         ``pdb_admin_group``, which is what a role creator has so this
+         second role may as well create all roles as well as manage
+         role membership.
diff --git a/doc/src/architecture/users.m4 b/doc/src/architecture/users.m4
index 10cffa6..94584aa 100644
--- a/doc/src/architecture/users.m4
+++ b/doc/src/architecture/users.m4
@@ -1,4 +1,4 @@
-.. Copyright (C) 2019, 2023  The Meme Factory, Inc.  www.karlpinc.com
+.. Copyright (C) 2019, 2023, 2025  The Meme Factory, Inc.  www.karlpinc.com
 
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as
@@ -19,86 +19,126 @@ include(macros.m4)dnl
 sdb_rst_quotes(`on')dnl
 sdb_generated_rst()dnl
 
+.. _logins:
 
-Users and Database Permissions
-------------------------------
+Logins
+------
 
 Each person should have their own login/username, which should not be
 shared.
-
-The database associates each login with specific permissions to
-objects (tables, etc.) within the database.
-
-To access the data in the database permission must be
-granted.  This is done per user login.
-
-There are 2 ordinary levels of permission.  Their names are:
-
-sdb_reader
-   Permission to query database content.
-
-sdb_writer
-   All the permissions of ``sdb_reader`` plus permission to alter
-   the content of the database.
-
-Ordinary permissions are database :dfn:`roles`.  They can be granted
-with SQL, e.g.::
-
-   GRANT sdb_reader TO someuser;
-
-Or grants can be made through some other mechanism.
-
-.. _the_administrator_permission_level:
-
-The Administrator Permission Level
-``````````````````````````````````
-
-The ``sdb_admin_group`` permission level has maximal permissions.
-It is used to create :ref:`superusers <superusers>`.
-
-Permissions are implemented as `PostgreSQL roles`_.
-It is the ``sdb_admin_group`` role that owns all the SokweDB database
-objects, the tables, views, etc.
-
-.. _superusers:
-
-Superusers (aka Administrators)
-```````````````````````````````
-
-`Superusers <role_attributes>`__ have permission to do anything
-with a database, create and destroy tables, create and destroy user
-logins, etc.\ [#f1]_
-Only a few people are expected to have superuser privileges.
-
-.. The alternative to giving people 2 logins, regular and superuser
-   is to use NOINHERIT when granting and then SET ROLE for the user
-   to use the elevated permissions.  But this is too complicated.
-
-Those people with superuser privileges will typically have 2 logins,
-one ordinary login and a second login with superuser privileges.  The
-superuser login should be used only when necessary, as when a new
-person is given access to SokweDB and a new database login must be
+Most people will have a single login but because it is best-practice to
+do regular work with only the minimal amount of permission necessary
+some people will have more than one login;
+a login for each level of required access.
+
+In addition to regular logins, which are used for regular database
+work and have either read-only or read-write access to database
+content, there are the following other kinds of logins.
+
+.. _administrators:
+
+Administrators
+``````````````
+
+Administrators have near-maximal permissions.
+The primary purpose of an administrator login is to create or destroy
+other logins, and that is pretty much the only regular use of an
+administrator login.
+Some other administrative tasks, such as killing runaway PostgreSQL_
+queries and monitoring database activity, are also done occasionally.
+
+.. caution::
+
+   Administrative logins have access to the underlying operating
+   system files in the same way as a Unix shell user has access.
+   Administrative users can even run operating system level
+   commands.
+   Administrative accounts should be well-secured and utilize good
+   passwords.
+
+The build system and other supplied tools automatically ensure that
+tasks performed as an administrator are done by the appropriate group
+on behalf of the administrator.
+Administrators are in, and can become, the ``pdb_role_owner`` group
+and so can create and destroy roles.
+And they are in and can become the ``pdb_admin_group`` and therefore
+create and destroy tables, create and destroy user logins, etc.
+
+Only a few people are expected to have administrator privileges.
+
+Those people with administrator privileges will typically have 2
+logins, one ordinary login and a second login with administrator
+privileges.
+The administrative login should be used only when necessary, as when a
+new person is given access to PRIMEDB and a new database login must be
 created.
-Ordinary interactions with the database, data entry, data
-retrieval, etc., should be done with a non-superuser login.
+Ordinary interactions with the database, data entry, data retrieval,
+etc., should be done with a non-administrator login.
+
+PostgreSQL_ also has a `superuser role`_.\ [#f4]_
+Superusers have permission to do anything with a database.
+As with the Unix ``root`` user, there should usually be only a single
+PostgreSQL_ role with superuser privileges.\ [#f1]_
+
+.. _creating_administrators:
+
+Creating Administrators
+'''''''''''''''''''''''
+
+When creating administrative users, use, as the "administrative user",
+a role that will always exist.
+Don't use a role belonging to a person but a role such as the default
+PostgreSQL superuser.
+(You `must` use the default PostgreSQL_ superuser when you do not have
+a PostgreSQL_ role that can login and create groups.)
+If you do not use a role that always exists, then when the creating
+role is dropped the created role will lose part of its administrative
+privilege and will no longer be able to use the PRIMEDB tools to
+create users.
+
+Hint: Use Unix privilege escalation techniques to execute the PRIMEDB
+command line tool in an environment that gives the tool access to the
+PostgreSQL_ superuser.
 
 .. _developers:
 
 Developers
 ``````````
 
-Developers, the users who maintain the database structure, etc., must
-be :ref:`superusers <superusers>`.
+Developers, the users who maintain the database structure, etc., are a
+special kind of administrator and the same care should be taken
+handing out and securing developer logins as administrative
+logins.\ [#f2]_
 
-.. _role_attributes:
-   https://www.postgresql.org/docs/current/role-attributes.html
+The difference between developers and administrators is that
+developers do not have the ability to create or drop database logins,
+or have any more rights to administer permissions than a regular user
+has.\ [#f3]_
 
-.. _PostgreSQL roles:
-   https://www.postgresql.org/docs/current/user-manag.html
+Like administrators, developers have the ability to monitor database
+activity, kill runaway queries, and so forth.
+They full have access to all database content and also the ability to
+change the database's structure, rule validation, and so forth.
+
+Developers are expected to have ordinary logins, for use when
+interacting with database content.
+
+.. _superuser role:
+   https://www.postgresql.org/docs/current/role-attributes.html
 
 .. rubric:: Footnotes
 
-.. [#f1] The Azure cloud platform does not allow logins (aka roles) to have
+.. [#f1] In environments where the PostgreSQL_ database is hosted and managed
+         by a cloud service provider (Amazon RDS, Azure PostgreSQL, etc.)
+         the PostgreSQL_ superuser is not available to the customer.
+
+.. [#f2] Developers can do things like server-side ``COPY`` operations
+         or extension installation, and thus, like administrators, have
+         access to the server's file system and server executables.
+
+.. [#f3] Developers are not in the ``pdb_role_owner`` group.
+
+.. [#f4] The Azure cloud platform does not allow logins (aka roles) to have
          the ``SUPERUSER`` :ref:`role attribute <Superusers>`.
          Instead, the ``CREATEDB`` and ``CREATEROLE`` attributes are most
          that can be given.
diff --git a/include/global_constants.m4 b/include/global_constants.m4
index 9ce640b..d78ebd9 100644
--- a/include/global_constants.m4
+++ b/include/global_constants.m4
@@ -34,6 +34,7 @@ dnl
 dnl Database permissions
 dnl
 
+define(`sdb_role_owner', `role_owner')
 define(`sdb_admin_group', `admin')
 define(`sdb_reader', `reader')
 define(`sdb_writer', `writer')
-- 
2.34.1