From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: fixing CREATEROLE |
Date: | 2022-11-23 21:27:55 |
Message-ID: | CAKFQuwa7gFPsre4hHBv16Mq6EWoMu5wBLj0os6izs4UmCw3eUw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, Nov 23, 2022 at 2:18 PM Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> On Wed, Nov 23, 2022 at 3:59 PM David G. Johnston
> <david(dot)g(dot)johnston(at)gmail(dot)com> wrote:
> > I haven't yet formed a complete thought here but is there any reason we
> cannot convert the permission-like attributes to predefined roles?
> >
> > pg_login
> > pg_replication
> > pg_bypassrls
> > pg_createdb
> > pg_createrole
> > pg_haspassword (password and valid until)
> > pg_hasconnlimit
> >
> > Presently, attributes are never inherited, but having that be controlled
> via the INHERIT property of the grant seems desirable.
>
> I think that something like this might be possible, but I'm not
> convinced that it's a good idea.
>
> Either way, I'm not quite sure what the benefit of converting these
> things to predefined roles is.
Specifically, you gain inheritance/set and "admin option" for free. So
whether I have an ability and whether I can grant it are separate concerns.
> A password is a fine example of that. You should never
> inherit someone else's password. Whether we've chosen the right set of
> things to treat as per-role properties rather than predefined roles is
> very much debatable, though, as are a number of other aspects of the
> role system.
>
You aren't inheriting a specific password, you are inheriting the right to
have a password stored in the database, with an optional expiration date.
>
> For instance, I'm pretty well unconvinced that merging users and
> groups into a uniformed thing called roles was a good idea.
I agree. No one was interested in the, admittedly complex, psql queries I
wrote the other month but I decided to undo some of that decision there.
David J.
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2022-11-23 21:40:44 | Re: fixing CREATEROLE |
Previous Message | samay sharma | 2022-11-23 21:24:51 | Re: Documentation for building with meson |