Re: [Extern] Re: postgres event trigger workaround

From: Julien Rouhaud <rjuju123(at)gmail(dot)com>
To: "Zwettler Markus (OIZ)" <Markus(dot)Zwettler(at)zuerich(dot)ch>
Cc: "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject: Re: [Extern] Re: postgres event trigger workaround
Date: 2022-01-14 10:23:55
Message-ID: 20220114102355.755ir3gpo6mf7y4j@jrouhaud
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hi,

On Fri, Jan 14, 2022 at 09:01:12AM +0000, Zwettler Markus (OIZ) wrote:
>
> We have the need to separate user (role) management from infrastructure (database) management.
>
> Granting CREATEROLE to any role also allows this role to create other roles having CREATEDB privileges and therefore also getting CREATEDB privileges.
>
> My use case would have been to grant CREATEROLE to any role while still restricting "create database".

I see, that's indeed a problem. You could probably enforce that using some
custom module to enforce additional rules on top of CREATE ROLE processing, but
it would have to be written in C.

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Flaviu2 2022-01-14 10:39:29 List all tables from a specific database
Previous Message Dominique Devienne 2022-01-14 10:22:15 Re: [Extern] Re: postgres event trigger workaround