From: | Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com> |
---|---|
To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: superuser() shortcuts |
Date: | 2014-11-04 20:02:16 |
Message-ID: | CAKRt6CTE5C9KN3eJjS966oaK2+_sSNrOncA5AnMn8ysb=WBZKA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Thanks for looking at this patch.
> I suggest moving the rest of the changes into separate patches.
>
Hmmm... perhaps the following?
* superuser-cleanup - contains above mentioned superuser shortcuts only.
* has_privilege-cleanup - contains has_*_priviledge cleanup only.
Would that also require a separate commitfest entry?
The ha*_something_privilege() changes are also not very consistent.
>
> We already have have_createrole_privilege(), which does include a
> superuser check, and you add has_replication_privilege() with a
> superuser check, but has_catupdate_privilege() and
> has_inherit_privilege() don't include a superuser check. That's clearly
> a mess.
>
Good catch. Though, according to the documentation, not even superuser is
allowed to bypass CATUPDATE.
http://www.postgresql.org/docs/9.4/static/catalog-pg-authid.html.
However, I can't think of a reason why "inherit" wouldn't need the
superuser check. Obviously superuser is considered a member of every role,
but is there a reason that a superuser would not be allowed to bypass
this? I only ask because it did not have a check previously, so I figure
there might have been a good reason for it?
Btw., why rename have_createrole_privilege()?
>
Well, actually it wasn't necessarily a rename. It was a removal of that
function all together as all it did was simply return the result of
"has_createrole_privilege". That seemed rather redundant and unnecessary,
IMO.
Also, your patch has spaces between tabs. Check for whitespace errors
> with git.
>
Yikes.
-Adam
--
Adam Brightwell - adam(dot)brightwell(at)crunchydatasolutions(dot)com
Database Engineer - www.crunchydatasolutions.com
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2014-11-04 20:03:28 | Re: [BUGS] [HACKERS] COPY TO returning empty result with parallel ALTER TABLE |
Previous Message | Josh Berkus | 2014-11-04 19:43:25 | Re: Let's drop two obsolete features which are bear-traps for novices |