| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PATCHES] Users/Groups -> Roles |
| Date: | 2005-07-01 22:46:41 |
| Message-ID: | 17554.1120258001@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-patches |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
>> We probably need to think a bit harder about the meaning of CREATEROLE
>> though. Right now it gives free license not only to create roles but
>> to alter any property of existing roles. This seems appropriate if you
>> think of it as a "safer form of superuser", which is how I was thinking
>> of it. It would be too powerful for Fabien's situation though.
> Well, what about it makes it 'too powerful'?
The fact that you could alter roles that (in some sense) don't belong to
you. In particular you could allow yourself into other people's
databases, if you can alter the roles that they are using to define who
can connect to those databases. Or cause denials of service by revoking
other people's memberships in those roles.
On the other hand, CREATEROLE as-is does exactly what it was intended
to do, namely let the DBA do all normal admin maintenance of users/groups
without taking the risks involved in doing stuff as superuser. If we
restrict it more, then we'll be back to the situation where there are
routine manual admin tasks that require superuserdom. So on reflection
I don't think we should restrict it. If we need a more restrictive
feature, then we need a different feature.
I'm of the opinion that it's too late to do much about Fabien's use-case
in this devel cycle. We could possibly have designed something rational
if it had been brought up earlier in the discussion of roles (which I
remind you has been going on for months). But now it's too late to do
anything that wouldn't be a kluge, and probably a kluge we'd regret
later.
Possibly for 8.2 we could invent a notion of roles having owners.
Offhand I don't see any harm in letting non-CREATEROLE users create
non-login roles, and manipulate the membership of roles they have
created (or that have been assigned to them by a superuser). On the
other hand, it could be that the WITH ADMIN OPTION feature is already
sufficient for this. This really needs some thought ...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jim C. Nasby | 2005-07-01 23:07:38 | Re: Open items |
| Previous Message | Stephen Frost | 2005-07-01 21:34:49 | Roles - SET ROLE |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2005-07-01 22:58:32 | Re: Use of E'' in pg_dump |
| Previous Message | Stephen Frost | 2005-07-01 21:34:49 | Roles - SET ROLE |