| From: | Jeff Davis <pgsql(at)j-davis(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Wolfgang Walther <walther(at)technowledgy(dot)de> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: has_privs_of_role vs. is_member_of_role, redux |
| Date: | 2022-10-20 20:05:04 |
| Message-ID: | 35e89ba98184b9be9a0c2edf5ee27e65d0a1d2c7.camel@j-davis.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, 2022-09-26 at 15:40 -0400, Stephen Frost wrote:
> Predefined roles are special in that they should GRANT just the
> privileges that the role is described to GRANT and that users really
> shouldn't be able to SET ROLE to them nor should they be allowed to
> own
> objects, or at least that's my general feeling on them.
What about granting privileges to others? I don't think that makes
sense for a predefined role, either, because then they'd own a bunch of
grants, which is as awkward as owning objects.
> If an administrator doesn't wish for a user to have the privileges
> provided by the predefined role by default, they should be able to
> set
> that up by creating another role who has that privilege which the
> user
> is able to SET ROLE to.
And that other role could be used for grants, if needed, too.
But I don't think we need to special-case predefined roles though. I
think a lot of administrators would like to declare some roles that are
just a collection of inheritable privileges.
--
Jeff Davis
PostgreSQL Contributor Team - AWS
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Rowley | 2022-10-20 20:31:40 | Re: Documentation refinement for Parallel Scans |
| Previous Message | David Rowley | 2022-10-20 20:02:47 | Re: Allow WindowFuncs prosupport function to use more optimal WindowClause options |