Thread: Defining Role Privileges

Defining Role Privileges

From
Carlos Mennens
Date:
I'm wondering about my CREATE ROLE statements for PostgreSQL. I guess
I don't know if there's an official answer but I feel like I'm
entering a lot of redundant privileges to a role for example:

CREATE ROLE tom NOINHERIT LOGIN SUPERUSER CREATEDB CREATEROLE REPLICATION;
CREATE ROLE

My question is do I need to specify CREATEDB & CREATEROLE if I'm
already granting the SUPERUSER privilege? Seems kind of redundant to
me, no? Is there any logical reason someone would be a SUPERUSER and
not have CREATEDB or CREATEROLE?

Also when I generate a new role, is there any difference between using:

ALTER ROLE tom ENCRYPTED PASSWORD 'md5081bea17b5503506d29531af33cc6f4e';

\password tom

Is there a downside to using the \password psql command? Is it also
encrypted like the statement above? How do you create roles and do you
do it manually or have some kind of template?

Re: Defining Role Privileges

From
Tom Lane
Date:
Carlos Mennens <carlos.mennens@gmail.com> writes:
> My question is do I need to specify CREATEDB & CREATEROLE if I'm
> already granting the SUPERUSER privilege?

No, not really.  The point of those options is to grant privileges to
roles that aren't superuser.

> Also when I generate a new role, is there any difference between using:
> ALTER ROLE tom ENCRYPTED PASSWORD 'md5081bea17b5503506d29531af33cc6f4e';

> \password tom

Don't think so, except that in the former case you have to work out the
encrypted password by hand.  The latter is safer since the cleartext
password will not escape the psql executable.

            regards, tom lane

Re: Defining Role Privileges

From
Jasen Betts
Date:
On 2012-02-08, Carlos Mennens <carlos.mennens@gmail.com> wrote:

> ALTER ROLE tom ENCRYPTED PASSWORD 'md5081bea17b5503506d29531af33cc6f4e';
>
> \password tom
>
> Is there a downside to using the \password psql command? Is it also
> encrypted like the statement above? How do you create roles and do you
> do it manually or have some kind of template?

I checked that a few weeks ago when doing the latter version the
password is translated into a form similar to former version
your chosen new password is sent over the wire encrypted.

--
⚂⚃ 100% natural