Search Postgresql Archives

AW: Postgres Enhancement Request

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



We already did and use this at the moment. Unfortunately.

Some out-of-the-box applications can't use functions for user management.
Some users don't want "special" functions for user management.
...

Markus



-----Ursprüngliche Nachricht-----
Von: Thomas Kellerer <spam_eater@xxxxxxx> 
Gesendet: Mittwoch, 20. März 2019 11:45
An: pgsql-general@xxxxxxxxxxxxxxxxxxxx
Betreff: Re: Postgres Enhancement Request

Zwettler Markus (OIZ) schrieb am 20.03.2019 um 11:10:
> CREATEROLE allows users to create new roles also having the CREATEDB privilege (at least in version 9.6).
> 
> We want special users to be able to CREATEROLE without being able to CREATEDB (eg. when usermanagement is done by the application itself).
> 
> Please prevent users with CREATEROLE to create roles having CREATEDB (analogous SUPERUSER and REPLICATION).

I agree that would be a welcome enhancement. 

As a workaround, you can create a function owned by a superuser (or any other user with the "createrole" privilege) using "security definer" that provides a simple "create user" capability and makes sure that the created user does not have the createdb privilege. 

The user/role that should be able to create new roles doesn't need the createrole privilege at all then. 
All it needs is the execute privilege on the function.

Thomas







[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux