| From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
|---|---|
| To: | David Legault <legault(dot)david(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: ROLE INHERIT |
| Date: | 2007-02-15 23:59:51 |
| Message-ID: | 20070215235951.GZ4682@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
David Legault escribió:
> Hello,
>
> I'm a bit new to Postgre, and I'm experimenting with the roles stuff.
>
> I want to know why If I create a role called "administrator" (a group
> basically, no login) :
>
> CREATE ROLE administrator NOSUPERUSER INHERIT NOCREATEDB CREATEROLE;
>
> And then create a user
>
> CREATE ROLE admin LOGIN PASSWORD 'password' ON ROLE administrator;
>
> admin doesn't have the CREATEROLE privilege himself, but because he is part
> of a group that has it, why doesn't this fall back on him having it?
>
> When I try to use that admin user to create another role, it says
> insufficient privileges.
>
> Am I missing something in this role stuff ?
A single point, which is that while the privileges that are inherited
are those that you can GRANT and REVOKE with the respective commands.
CREATEROLE and the others are not inherited.
Also, keep in mind that while role "admin" does not have CREATEDB
privilege, if you grant it the CREATEROLE privilege it will easily be
able to create a database by creating another role with CREATEDB
privilege. So don't grant CREATEROLE to just anyone.
FYI, the short name of PostgreSQL is "Postgres", not Postgre.
--
Alvaro Herrera http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Legault | 2007-02-16 00:12:12 | Re: ROLE INHERIT |
| Previous Message | Paul Lambert | 2007-02-15 23:53:19 | Re: ROLE INHERIT |