On Tue, Jan 24, 2023 at 9:07 AM tushar wrote:
> right, Neha/I have tested with different scenarios using
> createdb/replication/bypassrls and other
> privileges properties on the role. also checked pg_dumpall/pg_basebackup and
> everything looks fine.
Thanks. I have committed the patch.
--
Ro
On Mon, Jan 23, 2023 at 10:28 PM Robert Haas wrote:
>
> In previous releases, you needed to have CREATEROLE in order to be
> able to perform user management functions. In master, you still need
> CREATEROLE, and you also need ADMIN OPTION on the role. In this
> scenario, only t1 meets those requi
On Mon, Jan 23, 2023 at 10:25 AM tushar wrote:
> Please refer to this scenario where I am able to give createrole privileges
> but not replication privilege to role
>
> postgres=# create role t1 createrole;
> CREATE ROLE
> postgres=# create role t2 replication;
> CREATE ROLE
> postgres=# create
On Thu, Jan 19, 2023 at 8:34 PM Robert Haas wrote:
> On Thu, Jan 19, 2023 at 6:15 AM tushar
> wrote:
> > postgres=# create role fff with createrole;
> > CREATE ROLE
> > postgres=# create role xxx;
> > CREATE ROLE
> > postgres=# set role fff;
> > SET
> > postgres=> alter role xxx with createrole;
On Wed, Jan 18, 2023 at 6:17 PM Nathan Bossart wrote:
> > Here is a patch implementing the above proposal. Since this is fairly
> > closely related to already-committed work, I would like to get this
> > into v16. That way, all the changes to how CREATEROLE works will go
> > into a single release,
On Thu, Jan 19, 2023 at 6:15 AM tushar wrote:
> postgres=# create role fff with createrole;
> CREATE ROLE
> postgres=# create role xxx;
> CREATE ROLE
> postgres=# set role fff;
> SET
> postgres=> alter role xxx with createrole;
> ERROR: permission denied
> postgres=>
Here fff would need ADMIN OP
On 1/19/23 3:05 PM, tushar wrote:
which was working previously without patch.
My bad, I was testing against PG v15 but this issue is not
reproducible on master (without patch).
As you mentioned- "This implements the standard idea that you can't give
permissions
you don't have (but you can give
On 1/19/23 4:47 AM, Nathan Bossart wrote:
This seems like a clear improvement to me. However, as the attribute
system becomes more sophisticated, I think we ought to improve the error
messages in user.c. IMHO messages like "permission denied" could be
greatly improved with some added context.
I
On Wed, Jan 18, 2023 at 12:15:33PM -0500, Robert Haas wrote:
> On Mon, Jan 16, 2023 at 2:29 PM Robert Haas wrote:
>> 1. It's still possible for a CREATEROLE user to hand out role
>> attributes that they don't possess. The new prohibitions in
>> cf5eb37c5ee0cc54c80d95c1695d7fca1f7c68cb prevent a CR
On Mon, Jan 16, 2023 at 2:29 PM Robert Haas wrote:
> 1. It's still possible for a CREATEROLE user to hand out role
> attributes that they don't possess. The new prohibitions in
> cf5eb37c5ee0cc54c80d95c1695d7fca1f7c68cb prevent a CREATEROLE user
> from handing out membership in a role on which the
10 matches
Mail list logo
