On Sat, Aug 5, 2023 at 04:08:47PM -0700, Noah Misch wrote:
> On Thu, May 18, 2023 at 04:49:47PM -0400, Bruce Momjian wrote:
> > https://momjian.us/pgsql_docs/release-16.html
>
> > <!--
> > Author: Robert Haas <rhaas@postgresql.org>
> > 2023-01-10 [cf5eb37c5] Restrict the privileges of CREATEROLE users.
> > -->
> >
> > <listitem>
> > <para>
> > Restrict the privileges of CREATEROLE roles (Robert Haas)
> > </para>
> >
> > <para>
> > Previously roles with CREATEROLE privileges could change many aspects of any non-superuser role. Such changes,
includingadding members, now require the role requesting the change to have ADMIN OPTION
> > permission.
> > </para>
> > </listitem>
> >
> > <!--
> > Author: Robert Haas <rhaas@postgresql.org>
> > 2023-01-24 [f1358ca52] Adjust interaction of CREATEROLE with role properties.
> > -->
> >
> > <listitem>
> > <para>
> > Improve logic of CREATEROLE roles ability to control other roles (Robert Haas)
> > </para>
> >
> > <para>
> > For example, they can change the CREATEDB, REPLICATION, and BYPASSRLS properties only if they also have those
permissions.
> > </para>
> > </listitem>
>
> CREATEROLE is a radically different feature in v16. In v15-, it was an
> almost-superuser. In v16, informally speaking, it can create and administer
> its own collection of roles, but it can't administer roles outside its
> collection or grant memberships or permissions not offered to itself. Hence,
> let's move these two into the incompatibilities section. Let's also merge
> them, since f1358ca52 is just doing to clauses like CREATEDB what cf5eb37c5
> did to role memberships.
Good point. I have adjusted this item with the attached patch.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
