Re: [PATCHES] Users/Groups -> Roles - Mailing list pgsql-hackers

From Michael Paesold
Subject Re: [PATCHES] Users/Groups -> Roles
Date
Msg-id 00e601c57c20$4c255580$0f01a8c0@zaphod
Whole thread Raw
In response to Re: [PATCHES] Users/Groups -> Roles  (Stephen Frost <sfrost@snowman.net>)
Responses Re: [PATCHES] Users/Groups -> Roles
List pgsql-hackers
Stephen Frost wrote:
> If you're considered the owner of an object then you have access to drop
> it already.  You have to be a member of the role to which you're
> changing the ownership.  That role not having permission to create the
> object in place is an interesting question.  That's an issue for SET
> ROLE too, to some extent I think, do you still have your role's
> permissions after you've SET ROLE to another role?

For me this would be the "natural" way how SET ROLE would behave. This is 
unix'ism again, but using setuid to become another user, you loose the 
privileges of the old user context.
Therefore SET ROLE should not inherit privileges from the other role. This 
seems to be the safes approach.

Nevertheless, what does the standard say?

> If not then you'd
> have to grant CREATE on the schema to the role in order to create
> objects owned by that role, and I don't think that's necessairly
> something you'd want to do.

Right, that's an issue. But since the new role will be the *owner* of the 
object, it *should* really have create-privileges in that schema. So the 
above way seems to be correct anyway.

Best Regards,
Michael Paesold 



pgsql-hackers by date:

Previous
From: "Magnus Hagander"
Date:
Subject: Re: Proposed TODO: --encoding option for pg_dump
Next
From: Alvaro Herrera
Date:
Subject: Re: [PATCHES] Proposed TODO: --encoding option for pg_dump