Re: CREATEROLE users vs. role properties
tushar <tushar.ahuja@enterprisedb.com>
From: tushar <tushar.ahuja@enterprisedb.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Nathan Bossart <nathandbossart@gmail.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2023-01-24T14:07:25Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Improve several permission-related error messages.
- de4d456b406b 16.0 landed
-
Integrate superuser check into has_rolreplication()
- 442f8700656b 16.0 landed
-
Small code simplification
- 3b7cd8c690f2 16.0 landed
-
Adjust interaction of CREATEROLE with role properties.
- f1358ca52dd7 16.0 landed
-
Add new GUC reserved_connections.
- 6e2775e4d4e4 16.0 landed
-
Rename ReservedBackends variable to SuperuserReservedConnections.
- fe00fec1f5d7 16.0 landed
-
Update docs and error message for superuser_reserved_connections.
- 6c1d5ba48678 16.0 landed
-
Add new GUC createrole_self_grant.
- e5b8a4c098ad 16.0 cited
-
Restrict the privileges of CREATEROLE users.
- cf5eb37c5ee0 16.0 cited
-
Add a SET option to the GRANT command.
- 3d14e171e9e2 16.0 cited
On Mon, Jan 23, 2023 at 10:28 PM Robert Haas <robertmhaas@gmail.com> wrote: > > In previous releases, you needed to have CREATEROLE in order to be > able to perform user management functions. In master, you still need > CREATEROLE, and you also need ADMIN OPTION on the role. In this > scenario, only t1 meets those requirements with respect to t3, so only > t1 can manage t3. t2 can SET ROLE to t3 and grant membership in t3, > but it can't set role properties on t3 or change t3's password or > things like that, because the ability to make user management changes > is controlled by CREATEROLE. > ok. > > The patch is only intended to change behavior in the case where you > possess both CREATEROLE and also ADMIN OPTION on the target role (but > not SUPERUSER). In that scenario, it intends to change whether you can > give or remove the CREATEDB, REPLICATION, and BYPASSRLS properties > from a user. > right, Neha/I have tested with different scenarios using createdb/replication/bypassrls and other privileges properties on the role. also checked pg_dumpall/pg_basebackup and everything looks fine. regards,