public inbox for [email protected]help / color / mirror / Atom feed
CREATE USER 13+ messages / 5 participants [nested] [flat]
* CREATE USER @ 2011-12-09 21:09 Jaime Casanova <[email protected]> 0 siblings, 1 reply; 13+ messages in thread From: Jaime Casanova @ 2011-12-09 21:09 UTC (permalink / raw) To: pgsql-docs Hi, I just notice that when you create a user using CREATE USER and give the user the ability to create other users it gets created as SUPERUSER. CREATE ROLE behaves as expected. Looking at src/backend/parser/gram.y seems it's intentional, for backwards compatibility. But the docs says: """ CREATE USER is now an alias for CREATE ROLE. The only difference is that when the command is spelled CREATE USER, LOGIN is assumed by default, whereas NOLOGIN is assumed when the command is spelled CREATE ROLE. """ So, at least, we need to update docs or is undocumented intentionally too? also i really think the command should raise a WARNING so we now what's happening -- Jaime Casanova www.2ndQuadrant.com Professional PostgreSQL: Soporte 24x7 y capacitación ^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: CREATE USER @ 2011-12-10 03:21 Tom Lane <[email protected]> parent: Jaime Casanova <[email protected]> 0 siblings, 2 replies; 13+ messages in thread From: Tom Lane @ 2011-12-10 03:21 UTC (permalink / raw) To: Jaime Casanova <[email protected]>; +Cc: pgsql-docs Jaime Casanova <[email protected]> writes: > I just notice that when you create a user using CREATE USER and give > the user the ability to create other users it gets created as > SUPERUSER. Are you talking about the CREATEUSER option? That is documented, quite clearly I think: CREATEUSER NOCREATEUSER These clauses are an obsolete, but still accepted, spelling of SUPERUSER and NOSUPERUSER. Note that they are not equivalent to CREATEROLE as one might naively expect! The only way we could really make this any better is to remove these keywords, which might be something to consider. The preferred SUPERUSER spelling has been accepted since 8.1 ... is that long enough to ensure everyone's converted their client-side tools? Probably not :-( regards, tom lane ^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: CREATE USER @ 2011-12-10 03:36 Jaime Casanova <[email protected]> parent: Tom Lane <[email protected]> 1 sibling, 1 reply; 13+ messages in thread From: Jaime Casanova @ 2011-12-10 03:36 UTC (permalink / raw) To: Tom Lane <[email protected]>; +Cc: pgsql-docs On Fri, Dec 9, 2011 at 10:21 PM, Tom Lane <[email protected]> wrote: > Jaime Casanova <[email protected]> writes: >> I just notice that when you create a user using CREATE USER and give >> the user the ability to create other users it gets created as >> SUPERUSER. > > Are you talking about the CREATEUSER option? That is documented, quite > clearly I think: > yes, i was. and it's seems you're right is documented... obviously i was looking at the wrong place > > The only way we could really make this any better is to remove these > keywords, which might be something to consider. The preferred SUPERUSER > spelling has been accepted since 8.1 ... is that long enough to ensure > everyone's converted their client-side tools? Probably not :-( > 6 years since enough for me... actually i have been around even before that and didn't remember that. even if you think is not worth remove these, even a WARNING should be good -- Jaime Casanova www.2ndQuadrant.com Professional PostgreSQL: Soporte 24x7 y capacitación ^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: CREATE USER @ 2011-12-10 17:33 Scott Marlowe <[email protected]> parent: Jaime Casanova <[email protected]> 0 siblings, 0 replies; 13+ messages in thread From: Scott Marlowe @ 2011-12-10 17:33 UTC (permalink / raw) To: Jaime Casanova <[email protected]>; +Cc: Tom Lane <[email protected]>; pgsql-docs On Fri, Dec 9, 2011 at 8:36 PM, Jaime Casanova <[email protected]> wrote: > On Fri, Dec 9, 2011 at 10:21 PM, Tom Lane <[email protected]> wrote: >> Jaime Casanova <[email protected]> writes: >>> I just notice that when you create a user using CREATE USER and give >>> the user the ability to create other users it gets created as >>> SUPERUSER. >> >> Are you talking about the CREATEUSER option? That is documented, quite >> clearly I think: >> > > yes, i was. and it's seems you're right is documented... obviously i > was looking at the wrong place > >> >> The only way we could really make this any better is to remove these >> keywords, which might be something to consider. The preferred SUPERUSER >> spelling has been accepted since 8.1 ... is that long enough to ensure >> everyone's converted their client-side tools? Probably not :-( >> > > 6 years since enough for me... actually i have been around even before > that and didn't remember that. > even if you think is not worth remove these, even a WARNING should be good Make sure the docs mention this and then remove it in the next major release? Works for me. ^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: CREATE USER @ 2011-12-13 23:36 Bruce Momjian <[email protected]> parent: Tom Lane <[email protected]> 1 sibling, 1 reply; 13+ messages in thread From: Bruce Momjian @ 2011-12-13 23:36 UTC (permalink / raw) To: Tom Lane <[email protected]>; +Cc: Jaime Casanova <[email protected]>; pgsql-docs Tom Lane wrote: > Jaime Casanova <[email protected]> writes: > > I just notice that when you create a user using CREATE USER and give > > the user the ability to create other users it gets created as > > SUPERUSER. > > Are you talking about the CREATEUSER option? That is documented, quite > clearly I think: > > CREATEUSER > NOCREATEUSER > > These clauses are an obsolete, but still accepted, spelling of > SUPERUSER and NOSUPERUSER. Note that they are not equivalent to > CREATEROLE as one might naively expect! > > The only way we could really make this any better is to remove these > keywords, which might be something to consider. The preferred SUPERUSER > spelling has been accepted since 8.1 ... is that long enough to ensure > everyone's converted their client-side tools? Probably not :-( How does this relate to people restoring pre-8.1 pg_dumpall dumps? Seems removing this option would cause the restore to fail. -- Bruce Momjian <[email protected]> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. + ^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: CREATE USER @ 2011-12-14 00:12 Scott Marlowe <[email protected]> parent: Bruce Momjian <[email protected]> 0 siblings, 1 reply; 13+ messages in thread From: Scott Marlowe @ 2011-12-14 00:12 UTC (permalink / raw) To: Bruce Momjian <[email protected]>; +Cc: Tom Lane <[email protected]>; Jaime Casanova <[email protected]>; pgsql-docs On Tue, Dec 13, 2011 at 4:36 PM, Bruce Momjian <[email protected]> wrote: > Tom Lane wrote: >> Jaime Casanova <[email protected]> writes: >> > I just notice that when you create a user using CREATE USER and give >> > the user the ability to create other users it gets created as >> > SUPERUSER. >> >> Are you talking about the CREATEUSER option? That is documented, quite >> clearly I think: >> >> CREATEUSER >> NOCREATEUSER >> >> These clauses are an obsolete, but still accepted, spelling of >> SUPERUSER and NOSUPERUSER. Note that they are not equivalent to >> CREATEROLE as one might naively expect! >> >> The only way we could really make this any better is to remove these >> keywords, which might be something to consider. The preferred SUPERUSER >> spelling has been accepted since 8.1 ... is that long enough to ensure >> everyone's converted their client-side tools? Probably not :-( > > How does this relate to people restoring pre-8.1 pg_dumpall dumps? > Seems removing this option would cause the restore to fail. True, but 1: that's a really old release, and you should always dump from the version you're going to not, going from, and 2: If you dumped with 8.1 from 8.1 you're likely to have plenty of other issues loading into later versions as well. How about it's marked as deprecated to be removed in the next major release (9.1) and removed the one after that (9.2)? ^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: CREATE USER @ 2011-12-14 01:39 Bruce Momjian <[email protected]> parent: Scott Marlowe <[email protected]> 0 siblings, 1 reply; 13+ messages in thread From: Bruce Momjian @ 2011-12-14 01:39 UTC (permalink / raw) To: Scott Marlowe <[email protected]>; +Cc: Tom Lane <[email protected]>; Jaime Casanova <[email protected]>; pgsql-docs Scott Marlowe wrote: > On Tue, Dec 13, 2011 at 4:36 PM, Bruce Momjian <[email protected]> wrote: > > Tom Lane wrote: > >> Jaime Casanova <[email protected]> writes: > >> > I just notice that when you create a user using CREATE USER and give > >> > the user the ability to create other users it gets created as > >> > SUPERUSER. > >> > >> Are you talking about the CREATEUSER option? ?That is documented, quite > >> clearly I think: > >> > >> ? ? ? CREATEUSER > >> ? ? ? NOCREATEUSER > >> > >> ? ? ? These clauses are an obsolete, but still accepted, spelling of > >> ? ? ? SUPERUSER and NOSUPERUSER. Note that they are not equivalent to > >> ? ? ? CREATEROLE as one might naively expect! > >> > >> The only way we could really make this any better is to remove these > >> keywords, which might be something to consider. ?The preferred SUPERUSER > >> spelling has been accepted since 8.1 ... is that long enough to ensure > >> everyone's converted their client-side tools? ?Probably not :-( > > > > How does this relate to people restoring pre-8.1 pg_dumpall dumps? > > Seems removing this option would cause the restore to fail. > > True, but 1: that's a really old release, and you should always dump > from the version you're going to not, going from, and 2: If you dumped > with 8.1 from 8.1 you're likely to have plenty of other issues loading > into later versions as well. How about it's marked as deprecated to > be removed in the next major release (9.1) and removed the one after > that (9.2)? Well, I know we support the new pg_dump dumping back to 7.1, but I don't know what our policy is for accepting old dumps. -- Bruce Momjian <[email protected]> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. + ^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: CREATE USER @ 2011-12-14 04:27 Tom Lane <[email protected]> parent: Bruce Momjian <[email protected]> 0 siblings, 2 replies; 13+ messages in thread From: Tom Lane @ 2011-12-14 04:27 UTC (permalink / raw) To: Bruce Momjian <[email protected]>; +Cc: Scott Marlowe <[email protected]>; Jaime Casanova <[email protected]>; pgsql-docs Bruce Momjian <[email protected]> writes: > Well, I know we support the new pg_dump dumping back to 7.1, but I don't > know what our policy is for accepting old dumps. We're still going to very large lengths to load pre-7.3 dumps; see for instance ConvertTriggerToFK() in trigger.c. I'm not aware of any policy that would suggest blowing off pre-8.1 dumps should be acceptable. Yeah, it's true that the *recommended* procedure is to use the newer pg_dump, but people aren't always in a position to do that. I think it might be sane to emit a WARNING suggesting that CREATEUSER might not mean what you think, but failing is probably not good. regards, tom lane ^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: CREATE USER @ 2011-12-14 07:14 Scott Marlowe <[email protected]> parent: Tom Lane <[email protected]> 1 sibling, 0 replies; 13+ messages in thread From: Scott Marlowe @ 2011-12-14 07:14 UTC (permalink / raw) To: Tom Lane <[email protected]>; +Cc: Bruce Momjian <[email protected]>; Jaime Casanova <[email protected]>; pgsql-docs On Tue, Dec 13, 2011 at 9:27 PM, Tom Lane <[email protected]> wrote: > Bruce Momjian <[email protected]> writes: >> Well, I know we support the new pg_dump dumping back to 7.1, but I don't >> know what our policy is for accepting old dumps. > > We're still going to very large lengths to load pre-7.3 dumps; see > for instance ConvertTriggerToFK() in trigger.c. I'm not aware of any > policy that would suggest blowing off pre-8.1 dumps should be > acceptable. Yeah, it's true that the *recommended* procedure is to > use the newer pg_dump, but people aren't always in a position to do > that. > > I think it might be sane to emit a WARNING suggesting that CREATEUSER > might not mean what you think, but failing is probably not good. I guess there's really no reason to get rid of it, just drop it from that part of the docs, mark is as deprecated? ^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: CREATE USER @ 2012-04-24 06:55 Jaime Casanova <[email protected]> parent: Tom Lane <[email protected]> 1 sibling, 1 reply; 13+ messages in thread From: Jaime Casanova @ 2012-04-24 06:55 UTC (permalink / raw) To: Tom Lane <[email protected]>; +Cc: Bruce Momjian <[email protected]>; Scott Marlowe <[email protected]>; pgsql-docs On Tue, Dec 13, 2011 at 11:27 PM, Tom Lane <[email protected]> wrote: > Bruce Momjian <[email protected]> writes: >> Well, I know we support the new pg_dump dumping back to 7.1, but I don't >> know what our policy is for accepting old dumps. > > We're still going to very large lengths to load pre-7.3 dumps; see > for instance ConvertTriggerToFK() in trigger.c. I'm not aware of any > policy that would suggest blowing off pre-8.1 dumps should be > acceptable. Yeah, it's true that the *recommended* procedure is to > use the newer pg_dump, but people aren't always in a position to do > that. > > I think it might be sane to emit a WARNING suggesting that CREATEUSER > might not mean what you think, but failing is probably not good. > are we going to do this in this release? i never was able to think in a good phrasing for this, though -- Jaime Casanova www.2ndQuadrant.com Professional PostgreSQL: Soporte 24x7 y capacitación ^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: CREATE USER @ 2012-05-02 17:09 Robert Haas <[email protected]> parent: Jaime Casanova <[email protected]> 0 siblings, 1 reply; 13+ messages in thread From: Robert Haas @ 2012-05-02 17:09 UTC (permalink / raw) To: Jaime Casanova <[email protected]>; +Cc: Tom Lane <[email protected]>; Bruce Momjian <[email protected]>; Scott Marlowe <[email protected]>; pgsql-docs On Tue, Apr 24, 2012 at 2:55 AM, Jaime Casanova <[email protected]> wrote: > On Tue, Dec 13, 2011 at 11:27 PM, Tom Lane <[email protected]> wrote: >> Bruce Momjian <[email protected]> writes: >>> Well, I know we support the new pg_dump dumping back to 7.1, but I don't >>> know what our policy is for accepting old dumps. >> >> We're still going to very large lengths to load pre-7.3 dumps; see >> for instance ConvertTriggerToFK() in trigger.c. I'm not aware of any >> policy that would suggest blowing off pre-8.1 dumps should be >> acceptable. Yeah, it's true that the *recommended* procedure is to >> use the newer pg_dump, but people aren't always in a position to do >> that. >> >> I think it might be sane to emit a WARNING suggesting that CREATEUSER >> might not mean what you think, but failing is probably not good. >> > > are we going to do this in this release? > i never was able to think in a good phrasing for this, though I actually think we should just leave this alone. There is a limitless number of things that someone could potentially be confused by if they fail to read the documentation, and we can't warn about all of them. Now, one thing we could do is add a deprecation warning, stating that CREATEUSER may be removed in a future release, assuming we want to eventually remove it. But I don't think warning people that CREATEUSER means SUPERUSER and not CREATEROLE is very helpful. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company ^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: CREATE USER @ 2012-05-03 19:05 Jaime Casanova <[email protected]> parent: Robert Haas <[email protected]> 0 siblings, 1 reply; 13+ messages in thread From: Jaime Casanova @ 2012-05-03 19:05 UTC (permalink / raw) To: Robert Haas <[email protected]>; +Cc: Tom Lane <[email protected]>; Bruce Momjian <[email protected]>; Scott Marlowe <[email protected]>; pgsql-docs On Wed, May 2, 2012 at 12:09 PM, Robert Haas <[email protected]> wrote: > On Tue, Apr 24, 2012 at 2:55 AM, Jaime Casanova <[email protected]> wrote: >> On Tue, Dec 13, 2011 at 11:27 PM, Tom Lane <[email protected]> wrote: >>> >>> I think it might be sane to emit a WARNING suggesting that CREATEUSER >>> might not mean what you think, but failing is probably not good. >>> >> >> are we going to do this in this release? >> i never was able to think in a good phrasing for this, though > > I actually think we should just leave this alone. There is a > limitless number of things that someone could potentially be confused > by if they fail to read the documentation, and we can't warn about all > of them. > maybe is not very helpful, but it can't hurt... hey! it can save you because you maybe used CREATEUSER with the intention of CREATEROLE, and ended up with a user with restricted privileges that is actually a SUPERUSER... that's bad and is a POLA violation. is worse because we are the ones causing the confusion consider the syntax: CREATE USER = CREATE ROLE IN GROUP = IN ROLE USER = ROLE CREATEUSER != CREATEROLE CREATEUSER = SUPERUSER -- Jaime Casanova www.2ndQuadrant.com Professional PostgreSQL: Soporte 24x7 y capacitación ^ permalink raw reply [nested|flat] 13+ messages in thread
* Re: CREATE USER @ 2012-08-30 01:14 Bruce Momjian <[email protected]> parent: Jaime Casanova <[email protected]> 0 siblings, 0 replies; 13+ messages in thread From: Bruce Momjian @ 2012-08-30 01:14 UTC (permalink / raw) To: Jaime Casanova <[email protected]>; +Cc: Robert Haas <[email protected]>; Tom Lane <[email protected]>; Scott Marlowe <[email protected]>; pgsql-docs On Thu, May 3, 2012 at 02:05:49PM -0500, Jaime Casanova wrote: > On Wed, May 2, 2012 at 12:09 PM, Robert Haas <[email protected]> wrote: > > On Tue, Apr 24, 2012 at 2:55 AM, Jaime Casanova <[email protected]> wrote: > >> On Tue, Dec 13, 2011 at 11:27 PM, Tom Lane <[email protected]> wrote: > >>> > >>> I think it might be sane to emit a WARNING suggesting that CREATEUSER > >>> might not mean what you think, but failing is probably not good. > >>> > >> > >> are we going to do this in this release? > >> i never was able to think in a good phrasing for this, though > > > > I actually think we should just leave this alone. There is a > > limitless number of things that someone could potentially be confused > > by if they fail to read the documentation, and we can't warn about all > > of them. > > > > maybe is not very helpful, but it can't hurt... hey! it can save you > because you maybe used CREATEUSER with the intention of CREATEROLE, > and ended up with a user with restricted privileges that is actually a > SUPERUSER... that's bad and is a POLA violation. > > is worse because we are the ones causing the confusion consider the syntax: > CREATE USER = CREATE ROLE > IN GROUP = IN ROLE > USER = ROLE > > CREATEUSER != CREATEROLE > CREATEUSER = SUPERUSER I looked at this and can't see a way to make CREATEUSER != CREATEROLE clearer: The only difference is that when the command is spelled CREATE USER, LOGIN is assumed by default, whereas NOLOGIN is assumed when the command is spelled CREATE ROLE. -- Bruce Momjian <[email protected]> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. + ^ permalink raw reply [nested|flat] 13+ messages in thread
end of thread, other threads:[~2012-08-30 01:14 UTC | newest] Thread overview: 13+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2011-12-09 21:09 CREATE USER Jaime Casanova <[email protected]> 2011-12-10 03:21 ` Tom Lane <[email protected]> 2011-12-10 03:36 ` Jaime Casanova <[email protected]> 2011-12-10 17:33 ` Scott Marlowe <[email protected]> 2011-12-13 23:36 ` Bruce Momjian <[email protected]> 2011-12-14 00:12 ` Scott Marlowe <[email protected]> 2011-12-14 01:39 ` Bruce Momjian <[email protected]> 2011-12-14 04:27 ` Tom Lane <[email protected]> 2011-12-14 07:14 ` Scott Marlowe <[email protected]> 2012-04-24 06:55 ` Jaime Casanova <[email protected]> 2012-05-02 17:09 ` Robert Haas <[email protected]> 2012-05-03 19:05 ` Jaime Casanova <[email protected]> 2012-08-30 01:14 ` Bruce Momjian <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox