Re: fixing CREATEROLE
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Mark Dilger <mark.dilger@enterprisedb.com>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2022-11-23T20:32:59Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes: > On Wed, Nov 23, 2022 at 2:28 PM Mark Dilger > <mark.dilger@enterprisedb.com> wrote: >> I had incorrectly imagined that if the bootstrap superuser granted >> CREATEROLE to Alice with particular settings, those settings would >> limit the things that Alice could do when creating role Bob, >> specifically limiting how much she could administer/inherit/set role >> Bob thereafter. Apparently, your proposal only configures what happens >> by default, and Alice can work around that if she wants to. > Right. Okay ... >> But if that's the case, did I misunderstand upthread that these are >> properties the superuser specifies about Alice? Can Alice just set >> these properties about herself, so she gets the behavior she wants? >> I'm confused now about who controls these settings. > Because they are role-level properties, they can be set by whoever has > ADMIN OPTION on the role. That always includes every superuser, and it > never includes Alice herself (except if she's a superuser). That is just bizarre. Alice can do X, and she can do Y, but she can't control a flag that says which of those happens by default? How is that sane (disregarding the question of whether the existence of the flag is a good idea, which I'm now even less sold on)? regards, tom lane
Commits
-
Add new GUC createrole_self_grant.
- e5b8a4c098ad 16.0 landed
-
Restrict the privileges of CREATEROLE users.
- cf5eb37c5ee0 16.0 landed
-
Pass down current user ID to AddRoleMems and DelRoleMems.
- 39cffe95f2c5 16.0 landed
-
Refactor permissions-checking for role grants.
- 25bb03166b16 16.0 landed
-
Improve documentation of the CREATEROLE attibute.
- 0b496bc9881f 11.19 landed
- 1a5ff7be2696 12.14 landed
- 5dac191edf18 13.10 landed
- 1c77873727df 16.0 landed
- 5136c3fb575b 14.7 landed
- aa26980ca081 15.2 landed
-
Make role grant system more consistent with other privileges.
- ce6b672e4455 16.0 cited