Received: from makus.postgresql.org ([98.129.198.125])
	by malur.postgresql.org with esmtp (Exim 4.72)
	(envelope-from <bruce@momjian.us>) id 1T6tLL-0000WM-Eb
	for pgsql-docs@postgresql.org; Thu, 30 Aug 2012 01:14:47 +0000
Received: from momjian.us ([72.94.173.45])
	by makus.postgresql.org with esmtp (Exim 4.72)
	(envelope-from <bruce@momjian.us>) id 1T6tLH-0006ti-8h
	for pgsql-docs@postgresql.org; Thu, 30 Aug 2012 01:14:45 +0000
Received: from bruce by momjian.us with local (Exim 4.72)
	(envelope-from <bruce@momjian.us>)
	id 1T6tLE-0002KX-EG; Wed, 29 Aug 2012 21:14:40 -0400
Date: Wed, 29 Aug 2012 21:14:40 -0400
From: Bruce Momjian <bruce@momjian.us>
To: Jaime Casanova <jaime@2ndquadrant.com>
Cc: Robert Haas <robertmhaas@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>,
	Scott Marlowe <scott.marlowe@gmail.com>,
	pgsql-docs <pgsql-docs@postgresql.org>
Subject: Re: CREATE USER
Message-ID: <20120830011440.GD8753@momjian.us>
References: <201112140139.pBE1dEo03975@momjian.us>
	<27416.1323836857@sss.pgh.pa.us>
	<CAJKUy5jqgN+qyZj1tG68s8mygNx6_8U1pxPOL6Y=n2FFK5TDnw@mail.gmail.com>
	<CA+Tgmoa-PQgqvdQDGriTgyjLMLNoXBzUHkEDGgiX5Y+0f92ztQ@mail.gmail.com>
	<CAJKUy5g+rf-k0FqS1-oXh2UgC2qM_cykxi94eg9nywo6aV2L6A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: 
 <CAJKUy5g+rf-k0FqS1-oXh2UgC2qM_cykxi94eg9nywo6aV2L6A@mail.gmail.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Pg-Spam-Score: -2.1 (--)
X-Archive-Number: 201208/48
X-Sequence-Number: 7441

On Thu, May  3, 2012 at 02:05:49PM -0500, Jaime Casanova wrote:
> On Wed, May 2, 2012 at 12:09 PM, Robert Haas <robertmhaas@gmail.com> wrote:
> > On Tue, Apr 24, 2012 at 2:55 AM, Jaime Casanova <jaime@2ndquadrant.com> wrote:
> >> On Tue, Dec 13, 2011 at 11:27 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> >>>
> >>> I think it might be sane to emit a WARNING suggesting that CREATEUSER
> >>> might not mean what you think, but failing is probably not good.
> >>>
> >>
> >> are we going to do this in this release?
> >> i never was able to think in a good phrasing for this, though
> >
> > I actually think we should just leave this alone.  There is a
> > limitless number of things that someone could potentially be confused
> > by if they fail to read the documentation, and we can't warn about all
> > of them.
> >
> 
> maybe is not very helpful, but it can't hurt... hey! it can save you
> because you maybe used CREATEUSER with the intention of CREATEROLE,
> and ended up with a user with restricted privileges that is actually a
> SUPERUSER... that's bad and is a POLA violation.
> 
> is worse because we are the ones causing the confusion consider the syntax:
> CREATE USER = CREATE ROLE
> IN GROUP = IN ROLE
> USER = ROLE
> 
> CREATEUSER != CREATEROLE
> CREATEUSER = SUPERUSER

I looked at this and can't see a way to make CREATEUSER != CREATEROLE
clearer:

   The only difference is that when the command is spelled CREATE USER,
   LOGIN is assumed by default, whereas NOLOGIN is assumed when the
   command is spelled CREATE ROLE.

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + It's impossible for everything to be true. +