Re: SET ROLE and reserved roles

On Wed, Apr 13, 2016 at 1:24 PM, Stephen Frost <sfrost@snowman.net> wrote:
> On Wednesday, April 13, 2016, Robert Haas <robertmhaas@gmail.com> wrote:
>>
>> On Wed, Apr 13, 2016 at 1:10 PM, Stephen Frost <sfrost@snowman.net> wrote:
>> >> What I'd like to know is why it rejects that at all.  What's the point
>> >> of having roles you can't SET to?
>> >
>> > To use them to GRANT access to other roles, which was the goal of the
>> > default roles system to begin with.
>>
>> Well ... yeah.  But that doesn't mean it should be impossible to SET
>> to that role itself.  I'm a little worried that could create strange
>> corner cases.
>
> Being able to create objects owned by a default role was one of those
> strange corner cases I was trying to avoid.
>
> What's the use-case for setting to the role..?  I would generally argue that
> it's actually to create objects as that role, which is something I believe
> we specifically do not want for default roles, and in some limited cases to
> drop or gain additional privileges, when using noinherit roles (which are
> not the default).  The latter can still be accomplished, of course, by
> creating a role which is noinherit and using that.

I don't know that there is a use case for it, but it seems like a
weird inconsistency.  It may be fine; it just seems odd.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company