> On Nov 9, 2021, at 7:36 AM, David Christensen
> <david.christen...@crunchydata.com> wrote:
>
> If CINE semantics are at issue, what about the CREATE OR REPLACE semantics
> with some sort of merge into the existing role? I don't care strongly about
> which approach is taken, just think the overall "make this role exist in this
> form" without an error is useful in my own work, and CINE was easier to
> implement as a first pass.
CREATE OR REPLACE might be a better option, not with the "merge into the
existing role" part, but rather as drop+create. If a malicious actor has
already added other roles to the role, or created a table with a malicious
trigger definition, the drop part will fail, which is good from a security
viewpoint. Of course, the drop portion will also fail under other conditions
which don't entail any security concerns, but maybe they could be addressed in
a series of follow-on patches?
I understand this idea is not as useful for creating idempotent scripts, but
maybe it gets you part of the way there?
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
