Re: CREATEROLE users vs. role properties
tushar <tushar.ahuja@enterprisedb.com>
From: tushar <tushar.ahuja@enterprisedb.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Nathan Bossart <nathandbossart@gmail.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2023-01-23T15:25:01Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Improve several permission-related error messages.
- de4d456b406b 16.0 landed
-
Integrate superuser check into has_rolreplication()
- 442f8700656b 16.0 landed
-
Small code simplification
- 3b7cd8c690f2 16.0 landed
-
Adjust interaction of CREATEROLE with role properties.
- f1358ca52dd7 16.0 landed
-
Add new GUC reserved_connections.
- 6e2775e4d4e4 16.0 landed
-
Rename ReservedBackends variable to SuperuserReservedConnections.
- fe00fec1f5d7 16.0 landed
-
Update docs and error message for superuser_reserved_connections.
- 6c1d5ba48678 16.0 landed
-
Add new GUC createrole_self_grant.
- e5b8a4c098ad 16.0 cited
-
Restrict the privileges of CREATEROLE users.
- cf5eb37c5ee0 16.0 cited
-
Add a SET option to the GRANT command.
- 3d14e171e9e2 16.0 cited
On Thu, Jan 19, 2023 at 8:34 PM Robert Haas <robertmhaas@gmail.com> wrote: > On Thu, Jan 19, 2023 at 6:15 AM tushar <tushar.ahuja@enterprisedb.com> > wrote: > > postgres=# create role fff with createrole; > > CREATE ROLE > > postgres=# create role xxx; > > CREATE ROLE > > postgres=# set role fff; > > SET > > postgres=> alter role xxx with createrole; > > ERROR: permission denied > > postgres=> > > Here fff would need ADMIN OPTION on xxx to be able to make modifications > to it. > > See > https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=cf5eb37c5ee0cc54c80d95c1695d7fca1f7c68cb Thanks, Robert, that was helpful. Please refer to this scenario where I am able to give createrole privileges but not replication privilege to role postgres=# create role t1 createrole; CREATE ROLE postgres=# create role t2 replication; CREATE ROLE postgres=# create role t3; CREATE ROLE postgres=# grant t3 to t1,t2 with admin option; GRANT ROLE postgres=# set session authorization t1; SET *postgres=> alter role t3 createrole ;ALTER ROLE* postgres=> set session authorization t2; SET postgres=> alter role t3 replication; ERROR: permission denied This same behavior was observed in v14 as well but why i am able to give createrole grant but not replication? regards,