From: | tushar <tushar(dot)ahuja(at)enterprisedb(dot)com> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Nathan Bossart <nathandbossart(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: CREATEROLE users vs. role properties |
Date: | 2023-01-24 14:07:25 |
Message-ID: | CAC6VRoaZ3K4yVCx5eSbz3KYzxkEo=x7sFeoovm93+YXAJDRv4g@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Jan 23, 2023 at 10:28 PM Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>
> In previous releases, you needed to have CREATEROLE in order to be
> able to perform user management functions. In master, you still need
> CREATEROLE, and you also need ADMIN OPTION on the role. In this
> scenario, only t1 meets those requirements with respect to t3, so only
> t1 can manage t3. t2 can SET ROLE to t3 and grant membership in t3,
> but it can't set role properties on t3 or change t3's password or
> things like that, because the ability to make user management changes
> is controlled by CREATEROLE.
>
ok.
>
> The patch is only intended to change behavior in the case where you
> possess both CREATEROLE and also ADMIN OPTION on the target role (but
> not SUPERUSER). In that scenario, it intends to change whether you can
> give or remove the CREATEDB, REPLICATION, and BYPASSRLS properties
> from a user.
>
right, Neha/I have tested with different scenarios using
createdb/replication/bypassrls and other
privileges properties on the role. also checked
pg_dumpall/pg_basebackup and everything looks fine.
regards,
From | Date | Subject | |
---|---|---|---|
Next Message | Takamichi Osumi (Fujitsu) | 2023-01-24 14:22:58 | RE: Time delayed LR (WAS Re: logical replication restrictions) |
Previous Message | Takamichi Osumi (Fujitsu) | 2023-01-24 14:03:09 | RE: Time delayed LR (WAS Re: logical replication restrictions) |