From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
---|---|
To: | Noah Misch <noah(at)leadboat(dot)com> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, José Luis Tallón <jltallon(at)adv-solutions(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Default Roles |
Date: | 2016-04-18 05:27:22 |
Message-ID: | CAB7nPqT9RA-+rRAy7t91adt4soTX0TXL04MNkQRK5fAKP6egvQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Apr 18, 2016 at 12:05 PM, Noah Misch <noah(at)leadboat(dot)com> wrote:
> On Sun, Apr 17, 2016 at 08:04:03PM -0400, Noah Misch wrote:
>> On Thu, Apr 07, 2016 at 03:50:47PM -0400, Stephen Frost wrote:
>> > I'm planning to continue going over the patch tomorrow morning with
>> > plans to push this before the feature freeze deadline.
>>
>> > --- a/src/test/regress/expected/rolenames.out
>> > +++ b/src/test/regress/expected/rolenames.out
>>
>> > +GRANT testrol0 TO pg_abc; -- error
>> > +ERROR: role "pg_abc" is reserved
>> > +DETAIL: Cannot GRANT roles to a reserved role.
>>
>> The server still accepts "ALTER ROLE testrol0 USER pg_signal_backend". It
>> should block this ALTER ROLE if it blocks the corresponding GRANT.
Following this logic, shouldn't CREATE ROLE USER be forbidden as well?
=# create role toto1 user pg_signal_backend;
CREATE ROLE
=# create role toto2;
CREATE ROLE
=# alter role toto2 user pg_signal_backend;
ALTER ROLE
=# \dgS+ pg_signal_backend
List of roles
Role name | Attributes | Member of | Description
-------------------+--------------+---------------+-------------
pg_signal_backend | Cannot login | {toto1,toto2} |
In short a reserved role should never be member of another role/group,
as per the attached.
--
Michael
Attachment | Content-Type | Size |
---|---|---|
catalog-acl-group.patch | application/x-download | 2.8 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Fujii Masao | 2016-04-18 05:33:28 | Re: checkpoint_flush_after documentation inconsistency |
Previous Message | Fabien COELHO | 2016-04-18 05:24:08 | Re: Pgbench with -f and -S |