| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Orphaned users in PG16 and above can only be managed by Superusers |
| Date: | 2025-01-23 21:03:15 |
| Message-ID: | CA+TgmoY2Vf54bbGoFoigu34i99ZPJqh2vta_tK6kSdfQUV_=Ew@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Jan 23, 2025 at 4:02 PM Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> On Wed, Jan 22, 2025 at 6:08 AM Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com> wrote:
> > Thanks for sharing your thoughts and inputs. I'm also not quite clear
> > about the fix. Some of the solutions/changes you've mentioned above
> > seem quite complex and may not be reasonable, as you pointed out. How
> > about introducing a new predefined role, perhaps something like
> > pg_admin_all, which, when granted to an admin user in the system,
> > would allow them to manage all non-superusers on the server?
>
> IMHO, this is a hack. Let's suppose the superuser creates roles A and
> X with CREATEROLE. A creates B, who creates C. X creates Y, who
> creates Z. Now A drops B. We want A to retain the ability to
> administer C, but we do not want X to suddenly acquire the ability to
> administer C. If A and C both had pg_admin_all, that's what would
> happen.
Sorry, correction: if A and X both had pg_admin_all, that's what would happen.
--
Robert Haas
EDB: http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2025-01-23 21:06:15 | Re: Orphaned users in PG16 and above can only be managed by Superusers |
| Previous Message | Robert Haas | 2025-01-23 21:02:24 | Re: Orphaned users in PG16 and above can only be managed by Superusers |