| From: | Jeremy Smith <jeremy(at)musicsmith(dot)net> |
|---|---|
| To: | Bryn Llewellyn <bryn(at)yugabyte(dot)com> |
| Cc: | pgsql-general list <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: What happened to the tip "It is good practice to create a role that has the CREATEDB and CREATEROLE privileges..." |
| Date: | 2023-04-19 19:00:28 |
| Message-ID: | CAM8SmLWK62C+jvA-Lg=ba9hsz6XXRN-cR6QHM_CWEbV5QCft-g@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, Apr 19, 2023 at 2:19 PM Bryn Llewellyn <bryn(at)yugabyte(dot)com> wrote:
> This tip
>
> «
> It is good practice to create a role that has the CREATEDB and CREATEROLE
> privileges, but is not a superuser, and then use this role for all routine
> management of databases and roles. This approach avoids the dangers of
> operating as a superuser for tasks that do not really require it.
> »
>
used to be found in all versions of the PG doc
>
> What was the rationale for removing it? The practice recommendation makes
> sense to me. And I've implemented a scheme for database and role
> provisioning that uses just such a non-superuser with CREATEDB and
> CREATEROLE. I'm pleased with it.
>
>
It was removed in this commit:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=1c77873727dfd2e48ab2ece84d1fb1676e95f9a5
According to the commit comment, there's little security advantage to using
a role with CREATEDB and CREATEROLE privileges.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jay Stanley | 2023-04-19 21:12:36 | Question about accessing partitions whose name includes the schema name and a period - is this correct? |
| Previous Message | Bryn Llewellyn | 2023-04-19 18:19:31 | What happened to the tip "It is good practice to create a role that has the CREATEDB and CREATEROLE privileges..." |