On Sat, Aug 5, 2023 at 04:08:47PM -0700, Noah Misch wrote: > On Thu, May 18, 2023 at 04:49:47PM -0400, Bruce Momjian wrote: > > https://momjian.us/pgsql_docs/release-16.html > > > <!-- > > Author: Robert Haas <rh...@postgresql.org> > > 2023-01-10 [cf5eb37c5] Restrict the privileges of CREATEROLE users. > > --> > > > > <listitem> > > <para> > > Restrict the privileges of CREATEROLE roles (Robert Haas) > > </para> > > > > <para> > > Previously roles with CREATEROLE privileges could change many aspects of > > any non-superuser role. Such changes, including adding members, now > > require the role requesting the change to have ADMIN OPTION > > permission. > > </para> > > </listitem> > > > > <!-- > > Author: Robert Haas <rh...@postgresql.org> > > 2023-01-24 [f1358ca52] Adjust interaction of CREATEROLE with role > > properties. > > --> > > > > <listitem> > > <para> > > Improve logic of CREATEROLE roles ability to control other roles (Robert > > Haas) > > </para> > > > > <para> > > For example, they can change the CREATEDB, REPLICATION, and BYPASSRLS > > properties only if they also have those permissions. > > </para> > > </listitem> > > CREATEROLE is a radically different feature in v16. In v15-, it was an > almost-superuser. In v16, informally speaking, it can create and administer > its own collection of roles, but it can't administer roles outside its > collection or grant memberships or permissions not offered to itself. Hence, > let's move these two into the incompatibilities section. Let's also merge > them, since f1358ca52 is just doing to clauses like CREATEDB what cf5eb37c5 > did to role memberships.
Good point. I have adjusted this item with the attached patch. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.
diff --git a/doc/src/sgml/release-16.sgml b/doc/src/sgml/release-16.sgml index 1213f876f4..cccdc01d11 100644 --- a/doc/src/sgml/release-16.sgml +++ b/doc/src/sgml/release-16.sgml @@ -244,6 +244,24 @@ Collations and locales can vary between databases so having them as read-only se </para> </listitem> +<!-- +Author: Robert Haas <rh...@postgresql.org> +2023-01-10 [cf5eb37c5] Restrict the privileges of CREATEROLE users. +Author: Robert Haas <rh...@postgresql.org> +2023-01-24 [f1358ca52] Adjust interaction of CREATEROLE with role properties. +--> + +<listitem> +<para> +Restrict the privileges of CREATEROLE and its ability to modify other roles (Robert Haas) +</para> + +<para> +Previously roles with CREATEROLE privileges could change many aspects of any non-superuser role. Such changes, including adding members, now require the role requesting the change to have ADMIN OPTION +permission. For example, they can now change the CREATEDB, REPLICATION, and BYPASSRLS properties only if they also have those permissions. +</para> +</listitem> + <!-- Author: Nathan Bossart <nat...@postgresql.org> 2023-05-21 [2dcd1578c] Rename some createuser options. @@ -822,37 +840,6 @@ Previously CREATEROLE permission was required. </para> </listitem> -<!-- -Author: Robert Haas <rh...@postgresql.org> -2023-01-10 [cf5eb37c5] Restrict the privileges of CREATEROLE users. ---> - -<listitem> -<para> -Restrict the privileges of CREATEROLE roles (Robert Haas) -</para> - -<para> -Previously roles with CREATEROLE privileges could change many aspects of any non-superuser role. Such changes, including adding members, now require the role requesting the change to have ADMIN OPTION -permission. -</para> -</listitem> - -<!-- -Author: Robert Haas <rh...@postgresql.org> -2023-01-24 [f1358ca52] Adjust interaction of CREATEROLE with role properties. ---> - -<listitem> -<para> -Improve logic of CREATEROLE roles ability to control other roles (Robert Haas) -</para> - -<para> -For example, they can change the CREATEDB, REPLICATION, and BYPASSRLS properties only if they also have those permissions. -</para> -</listitem> - <!-- Author: Robert Haas <rh...@postgresql.org> 2022-08-25 [e3ce2de09] Allow grant-level control of role inheritance behavior.
