Re: pg_auth_members.grantor is bunk
Jeff Davis <pgsql@j-davis.com>
From: Jeff Davis <pgsql@j-davis.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Jacob Champion <jchampion@timescale.com>,
Stephen Frost <sfrost@snowman.net>, "David G. Johnston"
<david.g.johnston@gmail.com>, Mark Dilger <mark.dilger@enterprisedb.com>,
Andrew Dunstan <andrew@dunslane.net>, PostgreSQL-development
<pgsql-hackers@postgresql.org>
Date: 2022-09-07T14:56:28Z
Lists: pgsql-hackers
On Wed, 2022-09-07 at 09:39 -0400, Robert Haas wrote: > Now that is not to say that we couldn't decide that > select_best_grantor() got it wrong and choose to break backward > compatibility in order to fix it ... but I'm not even convinced that > the alternative behavior you propose is clearly better, let alone > that > it's enough better to justify changing things. OK. I suppose the best path forward is to just try to improve the ability to administer the system without relying as much on superusers, which will allow us to safely ignore some of the weirdness caused by superusers issuing grants. Regards, Jeff Davis
Commits
-
Make role grant system more consistent with other privileges.
- ce6b672e4455 16.0 landed
-
Ensure that pg_auth_members.grantor is always valid.
- 6566133c5f52 16.0 landed
-
Remove the ability of a role to administer itself.
- 79de9842ab03 15.0 landed
-
Add tests of the CREATEROLE attribute
- e9d4001ec592 15.0 landed
-
Replace explicit PIN entries in pg_depend with an OID range test.
- a49d08123599 15.0 cited
-
Shore up ADMIN OPTION restrictions.
- fea164a72a7b 9.4.0 cited
-
Add pg_has_role() family of privilege inquiry functions modeled after the
- f9fd1764615e 8.1.0 cited
-
Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion
- 4b2dafcc0b1a 8.0.0 cited