Re: role self-revocation

От

Peter Eisentraut

Тема

Дата

9 марта 2022 г. в 12:55:01

Msg-id

0c095133-7dc7-7a11-b773-0318807380db@enterprisedb.com

обсуждение

Ответ на

Re: role self-revocation (Robert Haas)

Список

pgsql-hackers

Дерево обсуждения

CREATEROLE and role ownership hierarchies Mark Dilger <mark.dilger@enterprisedb.com> 20 октября 2021 г. в 18:40:35

Re: CREATEROLE and role ownership hierarchies "Bossart, Nathan" <bossartn@amazon.com> 21 октября 2021 г. в 23:04:34

Re: CREATEROLE and role ownership hierarchies Mark Dilger <mark.dilger@enterprisedb.com> 21 октября 2021 г. в 23:21:09

Re: CREATEROLE and role ownership hierarchies Andrew Dunstan <andrew@dunslane.net> 26 октября 2021 г. в 18:50:49

Re: CREATEROLE and role ownership hierarchies Shinya Kato <Shinya11.Kato@oss.nttdata.com> 26 октября 2021 г. в 05:09:09

Re: CREATEROLE and role ownership hierarchies Mark Dilger <mark.dilger@enterprisedb.com> 26 октября 2021 г. в 15:12:47

Re: CREATEROLE and role ownership hierarchies Mark Dilger <mark.dilger@enterprisedb.com> 27 октября 2021 г. в 22:21:43

Re: CREATEROLE and role ownership hierarchies Shinya Kato <Shinya11.Kato@oss.nttdata.com> 4 ноября 2021 г. в 07:00:06

Re: CREATEROLE and role ownership hierarchies Shinya Kato <Shinya11.Kato@oss.nttdata.com> 28 октября 2021 г. в 02:32:03

Re: CREATEROLE and role ownership hierarchies Mark Dilger <mark.dilger@enterprisedb.com> 28 октября 2021 г. в 15:24:23

Re: CREATEROLE and role ownership hierarchies Tom Lane <tgl@sss.pgh.pa.us> 28 октября 2021 г. в 16:14:06

Re: CREATEROLE and role ownership hierarchies Shinya Kato <Shinya11.Kato@oss.nttdata.com> 29 октября 2021 г. в 02:05:10

On 07.03.22 19:18, Robert Haas wrote:
>> That all said, permissions SHOULD BE strictly additive.  If boss doesn't want to be a member of pg_read_all_files allowing them to revoke themself from that role seems like it should be acceptable.  If there is fear in allowing someone to revoke (not add) themselves as a member of a different role that suggests we have a design issue in another feature of the system.  Today, they neither grant nor revoke, and the self-revocation doesn't seem that important to add.
> I disagree with this on principle, and I also think that's not how it
> works today. On the general principle, I do not see a compelling
> reason why we should have two systems for maintaining groups of users,
> one of which is used for additive things and one of which is used for
> subtractive things.

Do we have subtractive permissions today?

В списке pgsql-hackers по дате отправления

Предыдущее

От: Andrew Dunstan

Дата: 9 марта 2022 г. в 12:53:54

Сообщение: Re: Time to drop plpython2?

Следующее

От: Ashutosh Sharma

Дата: 9 марта 2022 г. в 13:01:41

Сообщение: Re: Synchronizing slots from primary to standby