AW: Postgres Enhancement Request
| От | Zwettler Markus (OIZ) |
|---|---|
| Тема | AW: Postgres Enhancement Request |
| Дата | |
| Msg-id | 644dba7f10da4f20b2ed412dc7ea7cd0@zuerich.ch обсуждение исходный текст |
| Ответ на | Re: Postgres Enhancement Request (Thomas Kellerer <spam_eater@gmx.net>) |
| Список | pgsql-general |
We already did and use this at the moment. Unfortunately. Some out-of-the-box applications can't use functions for user management. Some users don't want "special" functions for user management. ... Markus -----Ursprüngliche Nachricht----- Von: Thomas Kellerer <spam_eater@gmx.net> Gesendet: Mittwoch, 20. März 2019 11:45 An: pgsql-general@lists.postgresql.org Betreff: Re: Postgres Enhancement Request Zwettler Markus (OIZ) schrieb am 20.03.2019 um 11:10: > CREATEROLE allows users to create new roles also having the CREATEDB privilege (at least in version 9.6). > > We want special users to be able to CREATEROLE without being able to CREATEDB (eg. when usermanagement is done by the applicationitself). > > Please prevent users with CREATEROLE to create roles having CREATEDB (analogous SUPERUSER and REPLICATION). I agree that would be a welcome enhancement. As a workaround, you can create a function owned by a superuser (or any other user with the "createrole" privilege) using"security definer" that provides a simple "create user" capability and makes sure that the created user does not havethe createdb privilege. The user/role that should be able to create new roles doesn't need the createrole privilege at all then. All it needs is the execute privilege on the function. Thomas
В списке pgsql-general по дате отправления: