| From: | Wolfgang Walther <walther(at)technowledgy(dot)de> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: has_privs_of_role vs. is_member_of_role, redux |
| Date: | 2022-09-08 16:30:19 |
| Message-ID: | 16d92701-70bb-1a00-f9c4-2ce99328944a@technowledgy.de |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Robert Haas:
>> I think to change the owner of an object from role A to role B, you just
>> need a different "privilege" on that role B to "use" the role that way,
>> which is distinct from INHERIT or SET ROLE "privileges".
>
> It's not distinct, though, because if you can transfer ownership of a
> table to another user, you can use that ability to gain the privileges
> of that user.
Right, but the inverse is not neccessarily true, so you could have SET
ROLE privileges, but not "USAGE" - and then couldn't change the owner of
an object to this role.
USAGE is not a good term, because it implies "least amount of
privileges", but in this case it's quite the opposite.
In any case, adding a grant option for SET ROLE, while keeping the
required privileges for a transfer of ownership at the minimum
(membership only), doesn't really make sense. I guess both threads
should be discussed together?
Best
Wolfgang
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2022-09-08 16:44:09 | Re: Reducing the chunk header sizes on all memory context types |
| Previous Message | Drouvot, Bertrand | 2022-09-08 16:07:05 | Re: [PATCH] Query Jumbling for CALL and SET utility statements |