On Tue, Apr 26, 2016 at 7:39 PM, Robert Haas <robertmh...@gmail.com> wrote: > On Mon, Apr 25, 2016 at 6:55 PM, Stephen Frost <sfr...@snowman.net> wrote: >> Based on our discussion at PGConf.US and the comments up-thread from >> Tom, I'll work up a patch to remove those checks around SET ROLE and >> friends which were trying to prevent default roles from possibly being >> made to own objects. >> >> Should the checks, which have been included since nearly the start of >> this version of the patch, to prevent users from GRANT'ing other rights >> to the default roles remain? Or should those also be removed? I >> *think* pg_dump/pg_upgrade would be fine with rights being added, and if >> we aren't preventing ownership of objects then we aren't going to be >> able to remove such roles in any case. > > It'd be good to test that that works. If it does, I think we may as > well allow it. > >> Of course, with these default roles, users can't REVOKE the rights which >> are granted to them as that happens in C code, outside of the GRANT >> system. > > I think you mean that they can't revoke the special magic rights, but > they could revoke any additional privileges which were granted. > >> Working up a patch to remove these checks should be pretty quickly done >> (iirc, I've actually got an independent patch around from when I added >> them, just need to find it and then go through the committed patches to >> make sure I take care of everything), but would like to make sure that >> we're now all on the same page and that *all* of these checks should be >> removed, making default roles just exactly like "regular" roles, except >> that they're created at initdb time and have "special" rights provided >> by C-level code checks. > > That's what I'm thinking. I would welcome other views.
Ping! -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers