Add new GUC createrole_self_grant.
Robert Haas <rhaas@postgresql.org>
Add new GUC createrole_self_grant. Can be set to the empty string, or to either or both of "set" or "inherit". If set to a non-empty value, a non-superuser who creates a role (necessarily by relying up the CREATEROLE privilege) will grant that role back to themselves with the specified options. This isn't a security feature, because the grant that this feature triggers can also be performed explicitly. Instead, it's a user experience feature. A superuser would necessarily inherit the privileges of any created role and be able to access all such roles via SET ROLE; with this patch, you can configure createrole_self_grant = 'set, inherit' to provide a similar experience for a user who has CREATEROLE but not SUPERUSER. Discussion: https://postgr.es/m/CA+TgmobN59ct+Emmz6ig1Nua2Q-_o=r6DSD98KfU53kctq_kQw@mail.gmail.com
Files
| Path | Change | +/− |
|---|---|---|
| doc/src/sgml/config.sgml | modified | +33 −0 |
| doc/src/sgml/ref/create_role.sgml | modified | +1 −0 |
| doc/src/sgml/ref/createuser.sgml | modified | +1 −0 |
| src/backend/commands/user.c | modified | +94 −3 |
| src/backend/utils/misc/guc_tables.c | modified | +12 −0 |
| src/backend/utils/misc/postgresql.conf.sample | modified | +1 −0 |
| src/include/commands/user.h | modified | +8 −2 |
| src/test/regress/expected/create_role.out | modified | +33 −0 |
| src/test/regress/sql/create_role.sql | modified | +37 −0 |
Documentation touched
Discussion
- fixing CREATEROLE 74 messages · 2022-11-21 → 2025-05-21