| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Carlos Mennens <carlos(dot)mennens(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Inherit Superuser Role Help |
| Date: | 2013-04-18 03:16:31 |
| Message-ID: | 18658.1366254991@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Carlos Mennens <carlos(dot)mennens(at)gmail(dot)com> writes:
> Shouldn't 'carlos' be a superuser based on him being a member of a
> role which has createdb and superuser rights granted to it?
No. Superuserness is quite intentionally not inheritable.
It's perhaps a bit more debatable whether other role privilege bits such
as CREATEDB ought to be inheritable. The position we've taken though
is that only grant-able rights inherit via GRANT ROLE.
This is documented under CREATE ROLE:
The INHERIT attribute governs inheritance of grantable privileges (that
is, access privileges for database objects and role memberships). It
does not apply to the special role attributes set by CREATE ROLE and
ALTER ROLE. For example, being a member of a role with CREATEDB
privilege does not immediately grant the ability to create databases,
even if INHERIT is set; it would be necessary to become that role via
SET ROLE before creating a database.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Atri Sharma | 2013-04-18 07:54:58 | Emulating trigger BEFORE SELECT behavior |
| Previous Message | Carlos Mennens | 2013-04-18 03:06:18 | Inherit Superuser Role Help |