| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Kevin Grittner <kgrittn(at)gmail(dot)com> |
| Cc: | Vitaly Burovoy <vitaly(dot)burovoy(at)gmail(dot)com>, Sehrope Sarkuni <sehrope(at)jackdb(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [REVIEW] Tab Completion for CREATE DATABASE ... TEMPLATE ... |
| Date: | 2016-09-11 18:25:41 |
| Message-ID: | 25158.1473618341@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Kevin Grittner <kgrittn(at)gmail(dot)com> writes:
> test=# create role fred with createdb;
> CREATE ROLE
> test=# create user bob;
> CREATE ROLE
> test=# grant fred to bob;
> GRANT ROLE
> test=# alter database postgres owner to fred;
> ALTER DATABASE
> test=# set role fred;
> SET
> test=> create database db1 template postgres;
> CREATE DATABASE
> test=> reset role;
> RESET
> test=# set role bob;
> SET
> test=> create database db2 template postgres;
> ERROR: permission denied to create database
> Opinions on whether this is a bug or correct behavior?
It's operating as designed, anyway. Role properties such as CREATEDB
are not grantable privileges and thus can't be inherited via GRANT.
There's been some muttering about changing that; but most people don't
seem to think that letting superuserness in particular be inherited
would be a good thing, so it hasn't gone anywhere.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kuntal Ghosh | 2016-09-11 20:06:35 | Re: WAL consistency check facility |
| Previous Message | Tom Lane | 2016-09-11 18:19:05 | Re: Install extensions using update scripts (was Re: Remove superuser() checks from pgstattuple) |