| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | AC Gomez <antklc(at)gmail(dot)com> |
| Cc: | "pgsql-generallists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: New Role drop with Grant/Revokes stop working after subsequent runs |
| Date: | 2020-05-07 00:20:19 |
| Message-ID: | CAKFQuwbkc5NW3UW4EVoifHjYTwEvrAEfNAEkREQU2fz82feGxg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, May 6, 2020 at 5:05 PM AC Gomez <antklc(at)gmail(dot)com> wrote:
> We have developed some code that creates a new role to be used as the main
> role for DB usage. This code will be called on a predetermined frequency to
> act a role/pwd rotation mechanism.
>
> Each time the code is run we feed it the prior role that was created (the
> Db owner being the initial role fed in).
>
Frankly, I don't know why your algorithm is failing to work but I'd suggest
you implement a better algorithm.
Ownership and permissions are granted to roles (groups) that are not
allowed to login.
Login roles are made members of the group roles.
I suppose the main question is, why would a bunch of grant and revoke
> commands run and not do anything, not even throw an error?
>
Maybe its a bug? - I doubt this kind of manipulation is all that common or
tested given the presence of what seems to be a superior alternative.
David J.
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mohamed Wael Khobalatte | 2020-05-07 04:35:48 | pg_restore V12 fails consistently against piped pg_dumps |
| Previous Message | AC Gomez | 2020-05-07 00:05:36 | New Role drop with Grant/Revokes stop working after subsequent runs |