David Johnston wrote:
> Wojciechowski, Robert (GE Transportation) wrote
> > [...] there is a database that shows this connect grant to a user that was
> > known as foo1_userA (oid 3562339547): 3562339547=c/postgres
>
> The main user dependent situation is having said user OWNER on a database
> object. Simply giving a user connect privileges on a database does not make
> the database dependent upon said user and so removing said user remains
> possible.
Dropping a user which is either a database owner or has been granted
CONNECT privileges is supposed to be disallowed:
alvherre=# create user f;
CREATE ROLE
alvherre=# create database f owner f;
CREATE DATABASE
alvherre=# drop role f;
ERROR: role "f" cannot be dropped because some objects depend on it
DETALLE: owner of database f
alvherre=# create role g;
CREATE ROLE
alvherre=# grant connect on database f to g;
GRANT
alvherre=# drop role g;
ERROR: role "g" cannot be dropped because some objects depend on it
DETALLE: privileges for database f
We're supposed to have sufficient locking so that concurrent
transactions don't see problems either (one xact drops the user while
the other creates the database), but maybe there are bugs somewhere.
--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services