| From: | Thomas Kellerer <spam_eater(at)gmx(dot)net> |
|---|---|
| To: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Postgres Enhancement Request |
| Date: | 2019-03-20 14:13:01 |
| Message-ID: | 67e4608d-5bce-02eb-2909-a624743d1055@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Tom Lane schrieb am 20.03.2019 um 14:59:
>>> Please prevent users with CREATEROLE to create roles having CREATEDB (analogous SUPERUSER and REPLICATION).
>
>> I agree that would be a welcome enhancement.
>
> No, it wouldn't. The point of CREATEROLE is to allow user creation
> and deletion to be done by a role that's less than full superuser.
> If we changed it like that, then you'd be right back at needing
> superuser for very routine role creations. That's *not* an
> improvement, even if it somehow fit better into the OP's desired
> security model (which he hasn't explained).
I didn't take this to be a request to remove the createdb privilege in general, but a request to have finer grained control what kind of privileges the role with createrole can grant to newly created roles (or what it can do in general).
Maybe if "createrole" was a regular privilege (like "create table"), then something like this would be possible:
create role user_admin;
grant create role to user_admin;
Thomas
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2019-03-20 14:29:41 | Re: Postgres Enhancement Request |
| Previous Message | Tom Lane | 2019-03-20 13:59:59 | Re: Postgres Enhancement Request |