Re: Backward compat issue with v16 around ROLEs

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Pavel Luzanov <[email protected]>
To: David G. Johnston <[email protected]>
To: Wolfgang Walther <[email protected]>
Cc: Dominique Devienne <[email protected]>
Cc: [email protected]
Subject: Re: Backward compat issue with v16 around ROLEs
Date: Wed, 11 Sep 2024 23:20:05 +0300
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAKFQuwZL96kB2mR4SG0=Hig21mwv5AhkxjZRGCYoqeYzPBv6Tw@mail.gmail.com>
References: <CAFCRh-8+PGGTuqg=rSKA533D0dqYAgq69UzSqMm67VEW02nZyQ@mail.gmail.com>
	<CAKFQuwYK2Vdnbdaxh9QF_0PYpztg51nc-iqYeiKDfpzek7hTdQ@mail.gmail.com>
	<CAFCRh-8ttK7AexZtZq-vcj+u5e2F93HEs63jrkEH0pq6Gf1TWw@mail.gmail.com>
	<[email protected]>
	<CAKFQuwZL96kB2mR4SG0=Hig21mwv5AhkxjZRGCYoqeYzPBv6Tw@mail.gmail.com>

On 11.09.2024 22:21, David G. Johnston wrote:
>
>     > ddevienne=> grant dd_owner to dd_admin with admin option; --
>     <<<<<<<<
>
>     I think this needs to be the other way around:
>
>        grant dd_admin to dd_owner with admin option;
>
>     Best,
>
>     Wolfgang
>
>
> Probably, intend to get those reversed and wasn't in a position to 
> experiment.  In any case fixing the with admin error is the correct 
> approach.

Unfortunately,itwon'twork. Dominiqueis right.Thiswill leadtocircularities. After this grant:

grant dd_owner to dd_admin;

reverse grant is not possible.
I thinkthisis a migrationissueforv16and it is not mentioned in release 
notes.

Ididn'tquiteunderstandthe exactpurposeof the roles dd_owner and dd_admin.  
But apossibleway is to use dd_admin to create roles. For example:

create role dd_admin login createrole;
\c - dd_admin
create role dd_owner noinherit;

create role dd_user login;
grant dd_owner to dd_user;

\c - dd_user
set role dd_owner;

-- 
Pavel Luzanov
Postgres Professional:https://postgrespro.com

view thread (15+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Backward compat issue with v16 around ROLEs
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox