| From: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
|---|---|
| To: | Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Andres Freund <andres(at)anarazel(dot)de>, Tomas Vondra <tomas(at)vondra(dot)me>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Orphaned users in PG16 and above can only be managed by Superusers |
| Date: | 2025-03-05 20:13:44 |
| Message-ID: | Z8iweEK1PZolUIt6@nathan |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Feb 18, 2025 at 02:54:46PM +0530, Ashutosh Sharma wrote:
> Attached is a patch that checks for role dependencies when the DROP
> ROLE command is executed. If dependencies are found, the command is
> prevented from succeeding. Please review the attached patch and share
> your feedback. thanks.!
Thanks for the patch. I have two questions:
* The patch alleges to only block DROP ROLE commands when there exists
_both_ admins of the target role and roles for which the target role is
an admin. However, it's not clear to me why both need to be true. I
might be able to glean the reason if I read this thread carefully or
spend more time thinking about it, but IMHO that patch itself should make
it obvious. I'd suggest expanding the comment atop
check_drop_role_dependency().
* Does this introduce any race conditions? For example, is it possible for
the new check to pass and then for a dependency to be added before the
drop completes?
--
nathan
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Davis | 2025-03-05 20:15:57 | Re: Make tuple deformation faster |
| Previous Message | Robert Haas | 2025-03-05 20:12:44 | Re: optimize file transfer in pg_upgrade |