Postgres Pro
Downloads
Home   >   mailing lists

Re: non-superusers are allowed to drop the replication user, but are not allowed to alter or even create them, is that ok? - Mailing list pgsql-hackers

From Mark Dilger
Subject Re: non-superusers are allowed to drop the replication user, but are not allowed to alter or even create them, is that ok?
Date
Msg-id F1EFCFFF-EC9E-42D1-9C3C-3741C553CE34@enterprisedb.com
Whole thread Raw
In response to non-superusers are allowed to drop the replication user, but are not allowed to alter or even create them, is that ok?  (Ashutosh Sharma <ashu.coek88@gmail.com>)
Responses Re: non-superusers are allowed to drop the replication user, but are not allowed to alter or even create them, is that ok?  (Ashutosh Sharma <ashu.coek88@gmail.com>)
List pgsql-hackers
Tree view 

> On Sep 30, 2021, at 3:07 AM, Ashutosh Sharma <ashu.coek88@gmail.com> wrote:
>
> While working on one of the internal projects I noticed that currently in Postgres, we do not allow normal users to
alterattributes of the replication user. However we do allow normal users to drop replication users or to even rename
itusing the alter command. Is that behaviour ok? If yes, can someone please help me understand how and why this is
okay.

The definition of CREATEROLE is a bit of a mess.  Part of the problem is that roles do not have owners, which makes the
permissionsto drop roles work differently than for other object types.  I have a patch pending [1] for the version 15
developmentcycle that fixes this and other problems.  I'd appreciate feedback on the design and whether it addresses
yourconcerns. 

[1] https://commitfest.postgresql.org/34/3223/

—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

pgsql-hackers by date:

Previous
From: Dmitry Dolgov
Date:
Subject: Re: pg_stat_statements and "IN" conditions
Next
From: Jacob Champion
Date:
Subject: Re: Support for NSS as a libpq TLS backend