From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Ivan Voras <ivoras(at)gmail(dot)com> |
Cc: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Roles inherited from a role which is the owner of a database can drop it? |
Date: | 2017-10-31 12:12:12 |
Message-ID: | 20171031121212.GU4628@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Greetings,
* Ivan Voras (ivoras(at)gmail(dot)com) wrote:
> On 30 October 2017 at 22:10, David G. Johnston <david(dot)g(dot)johnston(at)gmail(dot)com>
> wrote:
> > Not quite following but ownership is an inheritable permission;
>
> Basically, I'm asking if "ownership" can be revoked from the set of
> inherited permissions? If there is a role G which is granted to role A, and
> G is the owner of a database, can A be made to not be able to do what only
> owners can (specifically in this case, drop databases)?
No, that's exactly what role membership means- you have the same rights
as the other role.
> > and even if it was not SET ROLE is all that would be required. Any owner
> > can drop an object that it owns.
>
> It's kind of the reverse: I'm wondering if ownership can be made
> un-inheritable.
No, because even if ownership wasn't inheritable the user would simply
do 'SET ROLE owner;' and then have all of the ownership rights that way.
> Just considering the case of dropping databases for now. I.e. let the
> developers do everything except that. It's a start.
I think you're assuming far too much about what being a database owner
means- I'd suggest you really think about why the developers need to be
database owners at all; in other words- what's the *other* privilege
that's currently only available to database owners that you need
developers to be able to do?
I have a hunch that it might be GRANT'ing rights on the database, but
there's only a couple such rights (eg: CONNECT) and you might be better
off managing those in another way.
Thanks!
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Rob Sargent | 2017-10-31 16:16:14 | Re: query not scaling |
Previous Message | Stephen Frost | 2017-10-31 12:08:39 | Re: pg_audit to mask literal sql |