On 10/21/21 19:21, Mark Dilger wrote: >> Also, are we just going to strip >> the current CREATEROLE roles of much of their powers? Maybe it's >> worth keeping a legacy CREATEROLE role attribute for upgraded clusters >> that could eventually be removed down the road. > The patch as written drastically reduces the power of the CREATEROLE > attribute, in a non-backwards compatible way. I wondered if there would be > complaints about that. If so, we could instead leave CREATEROLE alone, and > create some other privileged role for the same thing, but it does start to > look funny having a CREATEROLE privilege bit and also a privileged role > named, perhaps, pg_can_create_roles.
Give that CREATEROLE currently just about amounts to being a superuser, maybe there should be a pg_upgrade option to convert CREATEROLE to SUPERUSER. I don't want to perpetuate the misfeature though, so let's just bring it to an end. cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
