Re: improving user.c error messages
Nathan Bossart <nathandbossart@gmail.com>
From: Nathan Bossart <nathandbossart@gmail.com>
To: Peter Eisentraut <peter.eisentraut@enterprisedb.com>
Cc: Alvaro Herrera <alvherre@alvh.no-ip.org>, Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2023-02-20T22:58:52Z
Lists: pgsql-hackers
Attachments
- v6-0001-Improve-user.c-error-messages.patch (text/x-diff)
On Mon, Feb 20, 2023 at 11:02:10AM -0800, Nathan Bossart wrote: > On Mon, Feb 20, 2023 at 08:54:48AM +0100, Peter Eisentraut wrote: >> I'm concerned about the loose use of "privilege" here. A privilege is >> something I can grant. So if someone doesn't have the "REPLICATION >> privilege", as in the above example, I would expect to be able to do "GRANT >> REPLICATION TO someuser". Since that is not what is happening, we should >> use some other term. The documentation around CREATE USER uses the terms >> "attribute" and "option" (and also "privilege") for these things. > > Good point. I will adjust these to use "attribute" instead. done in v6 >> Similarly -- this is an existing issue but we might as well look at it -- in >> something like >> >> must be superuser or a role with privileges of the >> pg_write_server_files role >> >> the phrase "a role with the privileges of that other role" seems ambiguous. >> Doesn't it really mean you must be a member of that role? > > Membership alone is not sufficient. You must also inherit the privileges > of the role via the INHERIT option. I thought about making this something > like > > must have the INHERIT option on role %s > > but I'm not sure that's accurate either. That wording makes it sound lіke > you need to be granted membership to the role directly WITH INHERIT OPTION, > but what you really need is membership, direct or indirect, with an INHERIT > chain up to the role in question. However, it looks like "must have the > ADMIN option on role %s" is used to mean something similar, so perhaps I am > overthinking it. For now, I've reworded these as "must inherit privileges of". -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Improve several permission-related error messages.
- de4d456b406b 16.0 landed
-
Integrate superuser check into has_rolreplication()
- 442f8700656b 16.0 landed
-
Small code simplification
- 3b7cd8c690f2 16.0 landed
-
Adjust interaction of CREATEROLE with role properties.
- f1358ca52dd7 16.0 landed
-
Add new GUC reserved_connections.
- 6e2775e4d4e4 16.0 landed
-
Rename ReservedBackends variable to SuperuserReservedConnections.
- fe00fec1f5d7 16.0 landed
-
Update docs and error message for superuser_reserved_connections.
- 6c1d5ba48678 16.0 landed
-
Add new GUC createrole_self_grant.
- e5b8a4c098ad 16.0 cited
-
Restrict the privileges of CREATEROLE users.
- cf5eb37c5ee0 16.0 cited
-
Add a SET option to the GRANT command.
- 3d14e171e9e2 16.0 cited