Home > mailing lists

[GENERAL] Roles inherited from a role which is the owner of a database can drop it? - Mailing list pgsql-general

From	Ivan Voras
Subject	[GENERAL] Roles inherited from a role which is the owner of a database can drop it?
Date	October 31, 2017 01:25:07
Msg-id	CAF-QHFV-BW-4T6GYJ_qr0J7iaLUuVq2G1=WEnP7BbwDEfP+FAg@mail.gmail.com Whole thread Raw
Responses	Re: [GENERAL] Roles inherited from a role which is the owner of adatabase can drop it? ("David G. Johnston" <david.g.johnston@gmail.com>)
List	pgsql-general

Tree view

Hello,

I just want to verify that what I'm observing is true, and if it is, I'd like to know how to avoid it:

1. There are databases owned by a certain role which is a superuser

2. Nobody logs in with the superuser role unless necessary

3. But they do log in with "developer" roles which are inherited from the owner role. These developer roles are not superusers themselves, but have the CREATEDB flag

4. The developer roles can still drop the databases.

I've tried it on a dummy database and it apparently works as described here. Is this by design?

If it is, is there a way to prevent the developer roles from dropping the databases?

What are the best practices for this sort of scenario where there is a single owner of all the schema (which is large), where developers need access to everything but cannot do something as drastic as dropping the dbs (and possibly tables)?

pgsql-general by date:

From: rakeshkumar464
Date: 30 October 2017, 23:55:17
Subject: [GENERAL] pg_audit to mask literal sql

From: Arthur Zakirov
Date: 31 October 2017, 02:58:00
Subject: Re: [GENERAL] pg_audit to mask literal sql

[GENERAL] Roles inherited from a role which is the owner of a database can drop it? - Mailing list pgsql-general

Previous

Next