From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Jaime Casanova <jaime(at)2ndquadrant(dot)com> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com>, pgsql-docs <pgsql-docs(at)postgresql(dot)org> |
Subject: | Re: CREATE USER |
Date: | 2012-08-30 01:14:40 |
Message-ID: | 20120830011440.GD8753@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-docs |
On Thu, May 3, 2012 at 02:05:49PM -0500, Jaime Casanova wrote:
> On Wed, May 2, 2012 at 12:09 PM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> > On Tue, Apr 24, 2012 at 2:55 AM, Jaime Casanova <jaime(at)2ndquadrant(dot)com> wrote:
> >> On Tue, Dec 13, 2011 at 11:27 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> >>>
> >>> I think it might be sane to emit a WARNING suggesting that CREATEUSER
> >>> might not mean what you think, but failing is probably not good.
> >>>
> >>
> >> are we going to do this in this release?
> >> i never was able to think in a good phrasing for this, though
> >
> > I actually think we should just leave this alone. There is a
> > limitless number of things that someone could potentially be confused
> > by if they fail to read the documentation, and we can't warn about all
> > of them.
> >
>
> maybe is not very helpful, but it can't hurt... hey! it can save you
> because you maybe used CREATEUSER with the intention of CREATEROLE,
> and ended up with a user with restricted privileges that is actually a
> SUPERUSER... that's bad and is a POLA violation.
>
> is worse because we are the ones causing the confusion consider the syntax:
> CREATE USER = CREATE ROLE
> IN GROUP = IN ROLE
> USER = ROLE
>
> CREATEUSER != CREATEROLE
> CREATEUSER = SUPERUSER
I looked at this and can't see a way to make CREATEUSER != CREATEROLE
clearer:
The only difference is that when the command is spelled CREATE USER,
LOGIN is assumed by default, whereas NOLOGIN is assumed when the
command is spelled CREATE ROLE.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2012-08-30 01:57:28 | Re: somewhat wrong archive_command example |
Previous Message | Bruce Momjian | 2012-08-29 22:38:47 | Re: Observation on integer types documentation |