From: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
---|---|
To: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
Cc: | Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: improving user.c error messages |
Date: | 2023-02-20 22:58:52 |
Message-ID: | 20230220225852.GA3940888@nathanxps13 |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Feb 20, 2023 at 11:02:10AM -0800, Nathan Bossart wrote:
> On Mon, Feb 20, 2023 at 08:54:48AM +0100, Peter Eisentraut wrote:
>> I'm concerned about the loose use of "privilege" here. A privilege is
>> something I can grant. So if someone doesn't have the "REPLICATION
>> privilege", as in the above example, I would expect to be able to do "GRANT
>> REPLICATION TO someuser". Since that is not what is happening, we should
>> use some other term. The documentation around CREATE USER uses the terms
>> "attribute" and "option" (and also "privilege") for these things.
>
> Good point. I will adjust these to use "attribute" instead.
done in v6
>> Similarly -- this is an existing issue but we might as well look at it -- in
>> something like
>>
>> must be superuser or a role with privileges of the
>> pg_write_server_files role
>>
>> the phrase "a role with the privileges of that other role" seems ambiguous.
>> Doesn't it really mean you must be a member of that role?
>
> Membership alone is not sufficient. You must also inherit the privileges
> of the role via the INHERIT option. I thought about making this something
> like
>
> must have the INHERIT option on role %s
>
> but I'm not sure that's accurate either. That wording makes it sound lіke
> you need to be granted membership to the role directly WITH INHERIT OPTION,
> but what you really need is membership, direct or indirect, with an INHERIT
> chain up to the role in question. However, it looks like "must have the
> ADMIN option on role %s" is used to mean something similar, so perhaps I am
> overthinking it.
For now, I've reworded these as "must inherit privileges of".
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com
Attachment | Content-Type | Size |
---|---|---|
v6-0001-Improve-user.c-error-messages.patch | text/x-diff | 30.2 KB |
v6-0002-Improve-more-insufficient-privileges-error-messag.patch | text/x-diff | 19.7 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Jim Jones | 2023-02-20 23:06:05 | Re: [PATCH] Add pretty-printed XML output option |
Previous Message | Michael Paquier | 2023-02-20 22:54:36 | Re: pg_walinspect memory leaks |