On 10/21/21 19:21, Mark Dilger wrote:
>> Also, are we just going to strip
>> the current CREATEROLE roles of much of their powers? Maybe it's
>> worth keeping a legacy CREATEROLE role attribute for upgraded clusters
>> that could eventually be removed down the road.
> The patch as written drastically reduces the power of the CREATEROLE attribute, in a non-backwards compatible way. I
wonderedif there would be complaints about that. If so, we could instead leave CREATEROLE alone, and create some other
privilegedrole for the same thing, but it does start to look funny having a CREATEROLE privilege bit and also a
privilegedrole named, perhaps, pg_can_create_roles.
Give that CREATEROLE currently just about amounts to being a superuser,
maybe there should be a pg_upgrade option to convert CREATEROLE to
SUPERUSER. I don't want to perpetuate the misfeature though, so let's
just bring it to an end.
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com