From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: fixing CREATEROLE |
Date: | 2022-11-23 18:11:01 |
Message-ID: | 3724776.1669227061@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> On Wed, Nov 23, 2022 at 12:36 PM Mark Dilger
> <mark(dot)dilger(at)enterprisedb(dot)com> wrote:
>> Yes, this all makes sense, but does it entail that the CREATE ROLE command must behave differently on the basis of a setting?
> Well, we certainly don't HAVE to add those new role-level properties;
> that's why they are in a separate patch. But I think they add a lot of
> useful functionality for a pretty minimal amount of extra code
> complexity.
I haven't thought about these issues hard enough to form an overall
opinion (though I agree that making CREATEROLE less tantamount
to superuser would be an improvement). However, I share Mark's
discomfort about making these commands act differently depending on
context. We learned long ago that allowing GUCs to affect query
semantics was a bad idea. Basing query semantics on properties
of the issuing role (beyond success-or-permissions-failure) doesn't
seem a whole lot different from that. It still means that
applications can't just issue command X and expect Y to happen;
they have to inquire about context in order to find out that Z might
happen instead. That's bad in any case, but it seems especially bad
for security-critical behaviors.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Ankit Kumar Pandey | 2022-11-23 18:18:20 | Questions regarding distinct operation implementation |
Previous Message | Robert Haas | 2022-11-23 18:05:54 | Re: code cleanups |