Re: Superuser can't revoke role granted by non-superuser
| От | Alexander Kukushkin |
|---|---|
| Тема | Re: Superuser can't revoke role granted by non-superuser |
| Дата | |
| Msg-id | CAFh8B=k0dciS9gQjF=KANv5REwe+8XqKLyUTuWfMP7DY8xsJVg@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Superuser can't revoke role granted by non-superuser (Kirill Reshke <reshkekirill@gmail.com>) |
| Ответы |
Re: Superuser can't revoke role granted by non-superuser
|
| Список | pgsql-bugs |
On Mon, 27 Jan 2025 at 10:37, Kirill Reshke <reshkekirill@gmail.com> wrote:
I doubt this is a correct fix. The difference between cf5eb37 &
f026c16 behaviour is in who granted membership in role 'bb' to role
'aa'. In the case of f026c16 the role is 'b', while after it is
bootstrap superuser. Is this correct? If yes, why should we consider
BOOTSTRAP_SUPERUSERID in this if statement? Maybe there are some other
cases from which this will not guard?
Or... Maybe it is actually working like this by design.
There are UNIQUE constraints on pg_auth_members (member, roleid, grantor) columns.
Therefore function explicitly searching for a tuple with exact match of member and grantor.
Also, REVOKE syntax was extended to support GRANTED BY.
E.g. superuser is supposed to use "revoke bb from aa granted by b"
Regards,
--
Alexander Kukushkin
В списке pgsql-bugs по дате отправления: