> On Sep 30, 2021, at 3:07 AM, Ashutosh Sharma <ashu.coe...@gmail.com> wrote:
>
> While working on one of the internal projects I noticed that currently in
> Postgres, we do not allow normal users to alter attributes of the replication
> user. However we do allow normal users to drop replication users or to even
> rename it using the alter command. Is that behaviour ok? If yes, can someone
> please help me understand how and why this is okay.
The definition of CREATEROLE is a bit of a mess. Part of the problem is that
roles do not have owners, which makes the permissions to drop roles work
differently than for other object types. I have a patch pending [1] for the
version 15 development cycle that fixes this and other problems. I'd
appreciate feedback on the design and whether it addresses your concerns.
[1] https://commitfest.postgresql.org/34/3223/
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
