Robert, all,
[... comments elsewhere made me realize I hadn't actually sent this when
I thought I had, my apologies on that ...]
* Robert Haas (robertmhaas@gmail.com) wrote:
> Great. But there's no particular use case served by a lot of things
> which are natural outgrowths of the rest of the system which we permit
> anyway because it's too awkward otherwise - like zero-column tables.
Based on our discussion at PGConf.US and the comments up-thread from
Tom, I'll work up a patch to remove those checks around SET ROLE and
friends which were trying to prevent default roles from possibly being
made to own objects.
Should the checks, which have been included since nearly the start of
this version of the patch, to prevent users from GRANT'ing other rights
to the default roles remain? Or should those also be removed? I
*think* pg_dump/pg_upgrade would be fine with rights being added, and if
we aren't preventing ownership of objects then we aren't going to be
able to remove such roles in any case.
Of course, with these default roles, users can't REVOKE the rights which
are granted to them as that happens in C code, outside of the GRANT
system.
Working up a patch to remove these checks should be pretty quickly done
(iirc, I've actually got an independent patch around from when I added
them, just need to find it and then go through the committed patches to
make sure I take care of everything), but would like to make sure that
we're now all on the same page and that *all* of these checks should be
removed, making default roles just exactly like "regular" roles, except
that they're created at initdb time and have "special" rights provided
by C-level code checks.
Thanks!
Stephen