Re: fixing CREATEROLE
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "David G. Johnston" <david.g.johnston@gmail.com>
Cc: Robert Haas <robertmhaas@gmail.com>,
Mark Dilger <mark.dilger@enterprisedb.com>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2022-11-23T21:40:44Z
Lists: pgsql-hackers
"David G. Johnston" <david.g.johnston@gmail.com> writes: > On Wed, Nov 23, 2022 at 2:18 PM Robert Haas <robertmhaas@gmail.com> wrote: >> Either way, I'm not quite sure what the benefit of converting these >> things to predefined roles is. > Specifically, you gain inheritance/set and "admin option" for free. Right: the practical issue with CREATEROLE/CREATEDB is that you need some mechanism for managing who can grant those privileges. The current answer isn't very flexible, which has been complained of repeatedly. If they become predefined roles then we get a lot of already-built-out infrastructure to solve that, instead of having to write even more single-purpose logic. I think it's a sensible future path, but said lack of flexibility hasn't yet spurred anyone to do it. regards, tom lane
Commits
-
Add new GUC createrole_self_grant.
- e5b8a4c098ad 16.0 landed
-
Restrict the privileges of CREATEROLE users.
- cf5eb37c5ee0 16.0 landed
-
Pass down current user ID to AddRoleMems and DelRoleMems.
- 39cffe95f2c5 16.0 landed
-
Refactor permissions-checking for role grants.
- 25bb03166b16 16.0 landed
-
Improve documentation of the CREATEROLE attibute.
- 0b496bc9881f 11.19 landed
- 1a5ff7be2696 12.14 landed
- 5dac191edf18 13.10 landed
- 1c77873727df 16.0 landed
- 5136c3fb575b 14.7 landed
- aa26980ca081 15.2 landed
-
Make role grant system more consistent with other privileges.
- ce6b672e4455 16.0 cited