pgsql: Restrict the privileges of CREATEROLE users.

Поиск
Список
Период
Сортировка
От Robert Haas
Тема pgsql: Restrict the privileges of CREATEROLE users.
Дата
Msg-id E1pFIfq-0030HR-N2@gemulon.postgresql.org
обсуждение исходный текст
Список pgsql-committers
Дерево обсуждения 
Restrict the privileges of CREATEROLE users.

Previously, CREATEROLE users were permitted to make nearly arbitrary
changes to roles that they didn't create, with certain exceptions,
particularly superuser roles.  Instead, allow CREATEROLE users to make such
changes to roles for which they possess ADMIN OPTION, and to
grant membership only in roles for which they possess ADMIN OPTION.

When a CREATEROLE user who is not a superuser creates a role, grant
ADMIN OPTION on the newly-created role to the creator, so that they
can administer roles they create or for which they have been given
privileges.

With these changes, CREATEROLE users still have very significant
powers that unprivileged users do not receive: they can alter, rename,
drop, comment on, change the password for, and change security labels
on roles.  However, they can now do these things only for roles for
which they possess appropriate privileges, rather than all
non-superuser roles; moreover, they cannot grant a role such as
pg_execute_server_program unless they themselves possess it.

Patch by me, reviewed by Mark Dilger.

Discussion: https://postgr.es/m/CA+TgmobN59ct+Emmz6ig1Nua2Q-_o=r6DSD98KfU53kctq_kQw@mail.gmail.com

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/cf5eb37c5ee0cc54c80d95c1695d7fca1f7c68cb

Modified Files
--------------
doc/src/sgml/ddl.sgml                              |  10 +--
doc/src/sgml/ref/alter_role.sgml                   |   8 +-
doc/src/sgml/ref/comment.sgml                      |   3 +-
doc/src/sgml/ref/create_role.sgml                  |   4 +-
doc/src/sgml/ref/createuser.sgml                   |   3 +-
doc/src/sgml/ref/drop_role.sgml                    |   2 +-
doc/src/sgml/ref/dropuser.sgml                     |   7 +-
doc/src/sgml/ref/grant.sgml                        |   4 +-
doc/src/sgml/user-manag.sgml                       |  44 ++++++---
src/backend/catalog/objectaddress.c                |  10 ++-
src/backend/commands/user.c                        | 100 +++++++++++++++------
.../dummy_seclabel/expected/dummy_seclabel.out     |  17 ++--
.../modules/dummy_seclabel/sql/dummy_seclabel.sql  |  13 ++-
src/test/regress/expected/create_role.out          |  53 ++++++-----
src/test/regress/sql/create_role.sql               |  38 ++++----
15 files changed, 210 insertions(+), 106 deletions(-)

В списке pgsql-committers по дате отправления:

Предыдущее
От: Amit Kapila
Дата:
Сообщение: Re: pgsql: Fix the display of lock information for specktoken.
Следующее
От: Robert Haas
Дата:
Сообщение: pgsql: Add new GUC createrole_self_grant.