Re: CREATEROLE users vs. role properties
tushar <tushar.ahuja@enterprisedb.com>
From: tushar <tushar.ahuja@enterprisedb.com>
To: Nathan Bossart <nathandbossart@gmail.com>,
Robert Haas <robertmhaas@gmail.com>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2023-01-19T11:15:22Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Improve several permission-related error messages.
- de4d456b406b 16.0 landed
-
Integrate superuser check into has_rolreplication()
- 442f8700656b 16.0 landed
-
Small code simplification
- 3b7cd8c690f2 16.0 landed
-
Adjust interaction of CREATEROLE with role properties.
- f1358ca52dd7 16.0 landed
-
Add new GUC reserved_connections.
- 6e2775e4d4e4 16.0 landed
-
Rename ReservedBackends variable to SuperuserReservedConnections.
- fe00fec1f5d7 16.0 landed
-
Update docs and error message for superuser_reserved_connections.
- 6c1d5ba48678 16.0 landed
-
Add new GUC createrole_self_grant.
- e5b8a4c098ad 16.0 cited
-
Restrict the privileges of CREATEROLE users.
- cf5eb37c5ee0 16.0 cited
-
Add a SET option to the GRANT command.
- 3d14e171e9e2 16.0 cited
On 1/19/23 3:05 PM, tushar wrote: > which was working previously without patch. My bad, I was testing against PG v15 but this issue is not reproducible on master (without patch). As you mentioned- "This implements the standard idea that you can't give permissions you don't have (but you can give the ones you do have)" but here the role is having createrole privilege that he cannot pass on to another user? Is this expected? postgres=# create role fff with createrole; CREATE ROLE postgres=# create role xxx; CREATE ROLE postgres=# set role fff; SET postgres=> alter role xxx with createrole; ERROR: permission denied postgres=> -- regards,tushar EnterpriseDB https://www.enterprisedb.com/ The Enterprise PostgreSQL Company