From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Euler Taveira de Oliveira <euler(at)timbira(dot)com>, Owen Jacobson <owen(dot)jacobson(at)grimoire(dot)ca>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
Subject: | Re: CREATEROLE does not permit commenting on newly-created roles |
Date: | 2011-03-09 05:18:18 |
Message-ID: | AANLkTin_zU0f1wZqNTM9N6e8OAcpD6eX70Y6JiB-y15k@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On Tue, Mar 8, 2011 at 11:48 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> I wrote:
>> I thought there was nothing particularly unreasonable about Owen's
>> suggestion: let users with the CREATEROLE attribute comment on any role.
>> I don't think COMMENT added to CREATE ROLE would be a very nice fix
>> (aside from being ugly, what if you want to change the comment later?).
>
>> It strikes me actually that letting members of the role comment on it
>> is not an amazingly good idea. They are not owners of the role in any
>> meaningful sense --- for instance, they can't drop it. It'd be more
>> reasonable and consistent to say that only superusers and holders of
>> CREATEROLE can do COMMENT ON ROLE.
>
> In particular, I suggest the attached patch (code-complete, but sans
> documentation changes). The changes here bring COMMENT ON ROLE into
> line with the permission requirements for other operations on roles
> that require ownership-like permissions. This patch modifies
> check_object_ownership, which means it affects three call sites at
> present:
>
> COMMENT ON ROLE
>
> ALTER EXTENSION ADD/DROP (but the target object cannot be a role)
>
> SECURITY LABEL IS (also couldn't be a role, at the moment)
>
> The SECURITY LABEL case, even though it's presently unimplemented,
> seems to me to be a darn good argument for redefining the notion
> of "role ownership" like this. Who would want a mere member of some
> group role to be able to set that role's security label?
>
> Comments, objections?
I think it's a good change, but we should make sure to release-note it
properly, along with the change you made for PLs.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2011-03-09 05:45:48 | Re: CREATEROLE does not permit commenting on newly-created roles |
Previous Message | Tom Lane | 2011-03-09 04:48:28 | Re: CREATEROLE does not permit commenting on newly-created roles |