Re: How was I able to drop a role even though objects depend on it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Alvaro Herrera-9 wrote
> David Johnston wrote:
>> Wojciechowski, Robert (GE Transportation) wrote
>> > [...] there is a database that shows this connect grant to a user that
>> was
>> > known as foo1_userA (oid 3562339547): 3562339547=c/postgres 
>> 
>> The main user dependent situation is having said user OWNER on a database
>> object.  Simply giving a user connect privileges on a database does not
>> make
>> the database dependent upon said user and so removing said user remains
>> possible.
> 
> Dropping a user which is either a database owner or has been granted
> CONNECT privileges is supposed to be disallowed:
> 
> alvherre=# create user f;
> CREATE ROLE
> alvherre=# create database f owner f;
> CREATE DATABASE
> alvherre=# drop role f;
> ERROR:  role "f" cannot be dropped because some objects depend on it
> DETALLE:  owner of database f
> alvherre=# create role g;
> CREATE ROLE
> alvherre=# grant connect on database f to g;
> GRANT
> alvherre=# drop role g;
> ERROR:  role "g" cannot be dropped because some objects depend on it
> DETALLE:  privileges for database f
> 
> We're supposed to have sufficient locking so that concurrent
> transactions don't see problems either (one xact drops the user while
> the other creates the database), but maybe there are bugs somewhere.

OK.  Looking at the documentation for this I see where this is stated though
I read it that only direct permissions are evaluated.  If foo1_userA is
getting permission to connect to database "postgres" via a parent role then
foo1_userA can be dropped since it would not need/have direct connect
privileges but would still how up as being allowed by the system.  I don't
know whether 3562339547 = c/postgres would show up only in the direct case
or if also via inheritance - and I'm not totally sure where this is actually
being queried in the first place.


David J.






--
View this message in context: http://postgresql.1045698.n5.nabble.com/How-was-I-able-to-drop-a-role-even-though-objects-depend-on-it-tp5762049p5762105.html
Sent from the PostgreSQL - admin mailing list archive at Nabble.com.


-- 
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin




[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux