From: | Wolfgang Walther <walther(at)technowledgy(dot)de> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: has_privs_of_role vs. is_member_of_role, redux |
Date: | 2022-09-08 16:30:19 |
Message-ID: | 16d92701-70bb-1a00-f9c4-2ce99328944a@technowledgy.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Robert Haas:
>> I think to change the owner of an object from role A to role B, you just
>> need a different "privilege" on that role B to "use" the role that way,
>> which is distinct from INHERIT or SET ROLE "privileges".
>
> It's not distinct, though, because if you can transfer ownership of a
> table to another user, you can use that ability to gain the privileges
> of that user.
Right, but the inverse is not neccessarily true, so you could have SET
ROLE privileges, but not "USAGE" - and then couldn't change the owner of
an object to this role.
USAGE is not a good term, because it implies "least amount of
privileges", but in this case it's quite the opposite.
In any case, adding a grant option for SET ROLE, while keeping the
required privileges for a transfer of ownership at the minimum
(membership only), doesn't really make sense. I guess both threads
should be discussed together?
Best
Wolfgang
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2022-09-08 16:44:09 | Re: Reducing the chunk header sizes on all memory context types |
Previous Message | Drouvot, Bertrand | 2022-09-08 16:07:05 | Re: [PATCH] Query Jumbling for CALL and SET utility statements |