| From: | Kasia Tuszynska <ktuszynska(at)esri(dot)com> |
|---|---|
| To: | Guillaume Lelarge <guillaume(at)lelarge(dot)info> |
| Cc: | pgsql-admin <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: two questions about pg 9.0 |
| Date: | 2010-10-13 20:21:15 |
| Message-ID: | 232B5217AD58584C87019E8933556D1102199CC548@redmx2.esri.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers pgsql-admin pgsql-testers |
Hi Guillaume,
Thanks for your reply I did a bit more testing with the superuser priv issue, and now I came to the conclusion that pgAdminIII may be doing something silly.
I created a user: bob
In pgAdminIII I checked off the box for: can inherit from parent role, can create db object, superuser
Got the following sql:
CREATE ROLE bob LOGIN
ENCRYPTED PASSWORD 'md51e9484aace238e7cb2609130fd87646e'
SUPERUSER INHERIT CREATEDB NOCREATEROLE;
UPDATE pg_authid SET rolcapupdate=false WHERE rolname='bob';
Than I created bobb
In pgAdminIII I checked off the box for: can inherit from parent role, can create db object, superuser, Can modify catalog directly
Got the following sql:
CREATE ROLE bobb LOGIN
ENCRYPTED PASSWORD 'md51e9484aace238e7cb2609130fd87646e'
SUPERUSER INHERIT CREATEDB NOCREATEROLE;
Conclusion:
Sql level superuser = pgAdminIII superuser + can modify catalog directly
This is misleading, I would call it a pgAdminIII bug but who knows maybe it is a feature...
Sincerely,
Kasia
-----Original Message-----
From: Guillaume Lelarge [mailto:guillaume(at)lelarge(dot)info]
Sent: Tuesday, October 12, 2010 10:59 AM
To: Kasia Tuszynska
Cc: pgsql-admin
Subject: Re: [ADMIN] two questions about pg 9.0
Hi,
Le 12/10/2010 19:25, Kasia Tuszynska a écrit :
> [...]
> 1. Permissions:
> When I create a login role with superuser privileges in pgAdminIII I have the option of indicating that the superuser will also have the permission to: "can modify catalog directly", when I look at the sql that is generated by that gui, I do not see a corresponding sql permission, I see:
> "CREATE ROLE kasia LOGIN ENCRYPTED PASSWORD 'md5ff0508b7bb33909c096d1b447a17d09b'
> SUPERUSER VALID UNTIL 'infinity';"
> A. What does "can modify catalog directly" actually do? I looked it up and I found : "This option determines whether the role can modify system catalog directly or not." But that really does not tell me much.
Yeah, we kinda suck at documenting things :)
It refers to the rolcatupdate column in the pg_authid system table.
Which is a permission to update the system catalogs (system tables).
> B. Why is there no sql level equivalent? When I revoke the "can modify catalog directly" permission I get the following sql: UPDATE pg_authid SET rolcatupdate=false WHERE OID=17331::oid;
You create a superuser, which already has this capacity. So we don't
need to add something else. Of course, if you uncheck it, we'll have to
update the system table to set it to false.
--
Guillaume
http://www.postgresql.fr
http://dalibo.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Guillaume Lelarge | 2010-10-13 21:20:02 | Re: two questions about pg 9.0 |
| Previous Message | Guillaume Lelarge | 2010-10-13 09:03:08 | Re: wrong indexes sizes on index page |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Guillaume Lelarge | 2010-10-13 21:20:02 | Re: two questions about pg 9.0 |
| Previous Message | Simon Riggs | 2010-10-13 20:06:27 | Re: replication solution |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Guillaume Lelarge | 2010-10-13 21:20:02 | Re: two questions about pg 9.0 |
| Previous Message | Guillaume Lelarge | 2010-10-12 17:59:21 | Re: two questions about pg 9.0 |