Re: fixing CREATEROLE
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Mark Dilger <mark.dilger@enterprisedb.com>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2022-11-23T21:18:08Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes: > But having said that, I could certainly change the patches so that any > user, or maybe just a createrole user since it's otherwise irrelevant, > can flip the INHERITCREATEDROLE and SETCREATEDROLE bits on their own > account. There would be no harm in that from a security or auditing > perspective AFAICS. It would, however, make the handling of those > flags different from the handling of most other role-level properties. > That is in fact why things ended up the way that they did: I just made > the new role-level properties which I added work like most of the > existing ones. To be clear, I'm not saying that I know a better answer. But the fact that these end up so different from other role-property bits seems to me to suggest that making them role-property bits is the wrong thing. They aren't privileges in any usual sense of the word --- if they were, allowing Alice to flip her own bits would obviously be silly. But all the existing role-property bits, with the exception of rolinherit, certainly are in the nature of privileges. > What I would > particularly like to hear in such an argument, though, is a theory > that goes beyond those two particular properties and addresses what > ought to be done with all the other ones, especially CREATEDB and > CREATEROLE. CREATEDB and CREATEROLE don't particularly bother me. We've talked before about replacing them with memberships in predefined roles, and that would be fine. But the reason nobody's got around to that (IMNSHO) is that it won't really add much. The thing that I think is a big wart is rolinherit. I don't know quite what to do about it. But these two new proposed bits seem to be much the same kind of wart, so I'd rather not invent them, at least not in the form of role properties. regards, tom lane
Commits
-
Add new GUC createrole_self_grant.
- e5b8a4c098ad 16.0 landed
-
Restrict the privileges of CREATEROLE users.
- cf5eb37c5ee0 16.0 landed
-
Pass down current user ID to AddRoleMems and DelRoleMems.
- 39cffe95f2c5 16.0 landed
-
Refactor permissions-checking for role grants.
- 25bb03166b16 16.0 landed
-
Improve documentation of the CREATEROLE attibute.
- 0b496bc9881f 11.19 landed
- 1a5ff7be2696 12.14 landed
- 5dac191edf18 13.10 landed
- 1c77873727df 16.0 landed
- 5136c3fb575b 14.7 landed
- aa26980ca081 15.2 landed
-
Make role grant system more consistent with other privileges.
- ce6b672e4455 16.0 cited