| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Sam Howard" <sam(dot)howard(at)gmxtechnologies(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #2516: group privs do not seem to be honored |
| Date: | 2006-07-14 01:08:19 |
| Message-ID: | 24247.1152839299@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
"Sam Howard" <sam(dot)howard(at)gmxtechnologies(dot)com> writes:
> Trying to implement user level access and security, and am finding
> unexpected behavior with respect to group roles.
I believe the problem is here:
> CREATE ROLE appuser LOGIN
> ENCRYPTED PASSWORD 'mdblahblahblah'
> NOSUPERUSER NOINHERIT NOCREATEDB NOCREATEROLE;
^^^^^^^^^
> GRANT db_group TO appuser;
The behavior you're expecting requires appuser to be marked INHERIT.
As the CREATE ROLE man page explains:
A role with the INHERIT attribute can automatically use whatever
database privileges have been granted to all roles it is
directly or indirectly a member of. Without INHERIT, membership
in another role only grants the ability to SET ROLE to that
other role; the privileges of the other role are only available
after having done so. If not specified, INHERIT is the default.
regards, tom lane
PS: Sorry for belated response, but I and most of the other developers
have been off at a conference ...
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alexander Dupuy | 2006-07-14 06:01:45 | BUG #2531: missing header dependency in src/port/Makefile |
| Previous Message | Nikolay Samokhvalov | 2006-07-13 14:15:39 | Strange behaviour of RULE (selecting last inserted ID of 'sequenced' column) |