Skip to content

Detect indirect superusers via role membership on PG 16+ #24

Merged
mble merged 3 commits intomainfrom
mble/indirect-superuser-detection
Feb 24, 2026
Merged

Detect indirect superusers via role membership on PG 16+ #24
mble merged 3 commits intomainfrom
mble/indirect-superuser-detection

Conversation

@mble
Copy link

@mble mble commented Feb 21, 2026

On PostgreSQL 16+, use a recursive CTE to walk pg_auth_members and
detect roles that can gain superuser access via SET ROLE (set_option)
or re-granting (admin_option). Adds an access_type label (direct or
indirect) to the per-role metric. PG < 16 retains direct-only detection.

mble added 2 commits February 21, 2026 12:41
@mble
Detect indirect superusers via role membership on PG 16+
bf894c6 
On PostgreSQL 16+, use a recursive CTE to walk pg_auth_members and
detect roles that can gain superuser access via SET ROLE (set_option)
or re-granting (admin_option). Adds an access_type label (direct or
indirect) to the per-role metric. PG < 16 retains direct-only detection.
@mble
Fully qualify catalog relations and operators in superuser queries
c86adbd 
Prevent search_path hijack by qualifying pg_roles, pg_auth_members,
casts, and equality operators with pg_catalog.
@mble mble requested a review from a team as a code owner February 21, 2026 12:46
maxenglander
maxenglander approved these changes Feb 21, 2026
View reviewed changes
Copy link
Collaborator

@maxenglander maxenglander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One concern, if we have a customer that has 100000+ roles, this could get computationally expensive.

I feel like between this and the concern i had with Hirad's extension metric opening too many connections, it might be worth having a way to run certain queries which (a) arent run every 30 seconds (b) may take a lot longer to run than 30s (c) can be written in a way that takes care not to use too much resources, eg via pagination.

@mble
Skip indirect superuser detection when role count >= 1000
ab3d7d7 
The recursive CTE for indirect superuser detection is expensive at scale.
Fall back to the simple direct-only query when the instance has >= 1000 roles.
@mble
Copy link
Author

mble commented Feb 24, 2026

@maxenglander FYSA I added a pretty naive check to avoid thrash.

@mble mble merged commit 96201eb into main Feb 24, 2026
8 checks passed
@mble mble deleted the mble/indirect-superuser-detection branch February 24, 2026 15:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxenglander maxenglander maxenglander approved these changes

Assignees

No one assigned

Labels

claude-code-assisted

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mble @maxenglander