| From: | Thomas Kellerer <spam_eater(at)gmx(dot)net> |
|---|---|
| To: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Postgres Enhancement Request |
| Date: | 2019-03-20 10:44:38 |
| Message-ID: | 49902029-5742-00ba-85bd-fd0ba0b7d5f3@gmx.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Zwettler Markus (OIZ) schrieb am 20.03.2019 um 11:10:
> CREATEROLE allows users to create new roles also having the CREATEDB privilege (at least in version 9.6).
>
> We want special users to be able to CREATEROLE without being able to CREATEDB (eg. when usermanagement is done by the application itself).
>
> Please prevent users with CREATEROLE to create roles having CREATEDB (analogous SUPERUSER and REPLICATION).
I agree that would be a welcome enhancement.
As a workaround, you can create a function owned by a superuser (or any other user with the "createrole" privilege) using "security definer" that provides a simple "create user" capability and makes sure that the created user does not have the createdb privilege.
The user/role that should be able to create new roles doesn't need the createrole privilege at all then.
All it needs is the execute privilege on the function.
Thomas
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Steele | 2019-03-20 10:46:00 | Re: Re: query logging of prepared statements |
| Previous Message | Zwettler Markus (OIZ) | 2019-03-20 10:10:04 | Postgres Enhancement Request |