Search Postgresql Archives

Re: CREATE/DROP ROLE transactional? GRANT/REVOKE?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On 06/03/2023 14:19 CET Dominique Devienne <ddevienne@xxxxxxxxx> wrote:
>
> Perhaps I missed it in the doc (e.g. [1]), but are DDLs around ROLEs and
> GRANTs transactional?

Have you tried?  DDL is transactional unless stated otherwise (cf. CREATE DATABASE,
CREATE INDEX CONCURRENTLY, CREATE TABLESPACE).

Run the following psql script:

	drop role if exists alice, bob;

	\du

	begin;
	create role alice;
	\du
	rollback;

	\du

	begin;
	create role alice;
	create role bob;
	commit;

	\du

	begin;
	grant alice to bob;
	\du
	rollback;

	\du

	begin;
	drop role alice;
	\du
	rollback;

	\du

Output:

	DROP ROLE
	                                   List of roles
	 Role name |                         Attributes                         | Member of
	-----------+------------------------------------------------------------+-----------
	 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

	BEGIN
	CREATE ROLE
	                                   List of roles
	 Role name |                         Attributes                         | Member of
	-----------+------------------------------------------------------------+-----------
	 alice     | Cannot login                                               | {}
	 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

	ROLLBACK
	                                   List of roles
	 Role name |                         Attributes                         | Member of
	-----------+------------------------------------------------------------+-----------
	 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

	BEGIN
	CREATE ROLE
	CREATE ROLE
	COMMIT
	                                   List of roles
	 Role name |                         Attributes                         | Member of
	-----------+------------------------------------------------------------+-----------
	 alice     | Cannot login                                               | {}
	 bob       | Cannot login                                               | {}
	 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

	BEGIN
	GRANT ROLE
	                                   List of roles
	 Role name |                         Attributes                         | Member of
	-----------+------------------------------------------------------------+-----------
	 alice     | Cannot login                                               | {}
	 bob       | Cannot login                                               | {alice}
	 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

	ROLLBACK
	                                   List of roles
	 Role name |                         Attributes                         | Member of
	-----------+------------------------------------------------------------+-----------
	 alice     | Cannot login                                               | {}
	 bob       | Cannot login                                               | {}
	 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

	BEGIN
	DROP ROLE
	                                   List of roles
	 Role name |                         Attributes                         | Member of
	-----------+------------------------------------------------------------+-----------
	 bob       | Cannot login                                               | {}
	 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

	ROLLBACK
	                                   List of roles
	 Role name |                         Attributes                         | Member of
	-----------+------------------------------------------------------------+-----------
	 alice     | Cannot login                                               | {}
	 bob       | Cannot login                                               | {}
	 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

> Since I'm creating many ROLEs and making many GRANTs, based info I read from
> PostgreSQL itself (in pg_catalog and elsewhere), should everything be in a
> single transaction?

If it should be atomic and the commands are allowed in transactions, then yes,
use transactions.

--
Erik





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux