From: | "David Legault" <legault(dot)david(at)gmail(dot)com> |
---|---|
To: | alvherre(at)commandprompt(dot)com, pgsql-general(at)postgresql(dot)org |
Subject: | Re: ROLE INHERIT |
Date: | 2007-02-16 00:12:12 |
Message-ID: | e0b20d410702151612h98a8f7dtd69d4d6ccadfbc5f@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
The docs should probably be more clear about this because you can do:
GRANT *role* [, ...] TO *username* [, ...] [ WITH ADMIN OPTION ]
GRANT on Roles
This variant of the GRANT command grants membership in a role to one or more
other roles. Membership in a role is significant because it conveys the
privileges granted to a role to each of its members.
GRANT administrator TO admin;
I thought it would transfer that CREATEROLE privilege too.
Thanks
David
On 2/15/07, Alvaro Herrera <alvherre(at)commandprompt(dot)com> wrote:
>
> David Legault escribió:
> > Hello,
> >
> > I'm a bit new to Postgre, and I'm experimenting with the roles stuff.
> >
> > I want to know why If I create a role called "administrator" (a group
> > basically, no login) :
> >
> > CREATE ROLE administrator NOSUPERUSER INHERIT NOCREATEDB CREATEROLE;
> >
> > And then create a user
> >
> > CREATE ROLE admin LOGIN PASSWORD 'password' ON ROLE administrator;
> >
> > admin doesn't have the CREATEROLE privilege himself, but because he is
> part
> > of a group that has it, why doesn't this fall back on him having it?
> >
> > When I try to use that admin user to create another role, it says
> > insufficient privileges.
> >
> > Am I missing something in this role stuff ?
>
> A single point, which is that while the privileges that are inherited
> are those that you can GRANT and REVOKE with the respective commands.
> CREATEROLE and the others are not inherited.
>
> Also, keep in mind that while role "admin" does not have CREATEDB
> privilege, if you grant it the CREATEROLE privilege it will easily be
> able to create a database by creating another role with CREATEDB
> privilege. So don't grant CREATEROLE to just anyone.
>
> FYI, the short name of PostgreSQL is "Postgres", not Postgre.
>
> --
> Alvaro Herrera
> http://www.CommandPrompt.com/
> PostgreSQL Replication, Consulting, Custom Development, 24x7 support
>
From | Date | Subject | |
---|---|---|---|
Next Message | Chad Wagner | 2007-02-16 00:12:28 | Re: Option to undo last update on table. |
Previous Message | Alvaro Herrera | 2007-02-15 23:59:51 | Re: ROLE INHERIT |