| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Joe Conway <mail(at)joeconway(dot)com> |
| Cc: | "Hackers (PostgreSQL)" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: roles question |
| Date: | 2005-07-09 19:13:08 |
| Message-ID: | 20050709191308.GW24207@ns.snowman.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Joe Conway (mail(at)joeconway(dot)com) wrote:
> After months of being unable to keep up with what's going on here, I'm
> trying to educate myself on some of the latest developments. I was
> playing with roles a bit, and I don't know if I'm doing something wrong,
> or if I found a hole:
Things have changed a bit (we're more closely following the SQL spec,
for one thing :).
> works fine:
> regression=# create role testrole2 with user testuser;
> CREATE ROLE
I don't think it's actually required (per spec) for us to allow this,
but we do because it makes some sense.
> doesn't work:
> regression=# alter role testrole with user testuser;
> ERROR: option "rolemembers" not recognized
To give 'testuser' the rights of 'testrole' you should do:
grant testrole to testuser;
> works fine:
> regression=# alter group testrole add user testuser;
> ALTER ROLE
This works for backwards compatibility, really, not because it's
something the 'ALTER ROLE' command is supposted to be able to do.
> doesn't work (no surprise, is a syntax error):
> regression=# alter role testrole add user testuser;
> ERROR: syntax error at or near "add" at character 21
> LINE 1: alter role testrole add user testuser;
I had made this work in my original patch (iirc) but I believe Tom
dropped it because you really should be using GRANT instead.
> It seems I can create a role with a user, and I can use ALTER GROUP
> syntax to add a user to a role, but I can't figure out how to add a user
> to a role using ALTER ROLE.
Using the 'grant role statement', per the SQL spec.
> Similarly, these might be just plain abuse of the new syntax, but appear
> to be allowed by gram.y:
>
> regression=# alter user testuser in role testrole;
> ERROR: option "addroleto" not recognized
> regression=# alter user testuser in group testrole;
> ERROR: option "addroleto" not recognized
This is because create role, alter role, alter user, etc, use the
same set of options (since there's a large overlap) in the syntax,
though some things don't make sense for some of those commands.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joe Conway | 2005-07-09 19:17:37 | Re: roles question |
| Previous Message | Joe Conway | 2005-07-09 18:59:36 | roles question |