Re: CREATE USER
On Tue, Dec 13, 2011 at 11:27 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Bruce Momjian <bruce@momjian.us> writes:
Well, I know we support the new pg_dump dumping back to 7.1, but I don't
know what our policy is for accepting old dumps.We're still going to very large lengths to load pre-7.3 dumps; see
for instance ConvertTriggerToFK() in trigger.c. I'm not aware of any
policy that would suggest blowing off pre-8.1 dumps should be
acceptable. Yeah, it's true that the *recommended* procedure is to
use the newer pg_dump, but people aren't always in a position to do
that.I think it might be sane to emit a WARNING suggesting that CREATEUSER
might not mean what you think, but failing is probably not good.
are we going to do this in this release?
i never was able to think in a good phrasing for this, though
--
Jaime Casanova www.2ndQuadrant.com
Professional PostgreSQL: Soporte 24x7 y capacitación
Import Notes
Reply to msg id not found: 27416.1323836857@sss.pgh.pa.usReference msg id not found: 201112140139.pBE1dEo03975@momjian.usReference msg id not found: 27416.1323836857@sss.pgh.pa.us
On Tue, Apr 24, 2012 at 2:55 AM, Jaime Casanova <jaime@2ndquadrant.com> wrote:
On Tue, Dec 13, 2011 at 11:27 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Bruce Momjian <bruce@momjian.us> writes:
Well, I know we support the new pg_dump dumping back to 7.1, but I don't
know what our policy is for accepting old dumps.We're still going to very large lengths to load pre-7.3 dumps; see
for instance ConvertTriggerToFK() in trigger.c. I'm not aware of any
policy that would suggest blowing off pre-8.1 dumps should be
acceptable. Yeah, it's true that the *recommended* procedure is to
use the newer pg_dump, but people aren't always in a position to do
that.I think it might be sane to emit a WARNING suggesting that CREATEUSER
might not mean what you think, but failing is probably not good.are we going to do this in this release?
i never was able to think in a good phrasing for this, though
I actually think we should just leave this alone. There is a
limitless number of things that someone could potentially be confused
by if they fail to read the documentation, and we can't warn about all
of them.
Now, one thing we could do is add a deprecation warning, stating that
CREATEUSER may be removed in a future release, assuming we want to
eventually remove it. But I don't think warning people that
CREATEUSER means SUPERUSER and not CREATEROLE is very helpful.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
On Wed, May 2, 2012 at 12:09 PM, Robert Haas <robertmhaas@gmail.com> wrote:
On Tue, Apr 24, 2012 at 2:55 AM, Jaime Casanova <jaime@2ndquadrant.com> wrote:
On Tue, Dec 13, 2011 at 11:27 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
I think it might be sane to emit a WARNING suggesting that CREATEUSER
might not mean what you think, but failing is probably not good.are we going to do this in this release?
i never was able to think in a good phrasing for this, thoughI actually think we should just leave this alone. There is a
limitless number of things that someone could potentially be confused
by if they fail to read the documentation, and we can't warn about all
of them.
maybe is not very helpful, but it can't hurt... hey! it can save you
because you maybe used CREATEUSER with the intention of CREATEROLE,
and ended up with a user with restricted privileges that is actually a
SUPERUSER... that's bad and is a POLA violation.
is worse because we are the ones causing the confusion consider the syntax:
CREATE USER = CREATE ROLE
IN GROUP = IN ROLE
USER = ROLE
CREATEUSER != CREATEROLE
CREATEUSER = SUPERUSER
--
Jaime Casanova www.2ndQuadrant.com
Professional PostgreSQL: Soporte 24x7 y capacitación
On Thu, May 3, 2012 at 02:05:49PM -0500, Jaime Casanova wrote:
On Wed, May 2, 2012 at 12:09 PM, Robert Haas <robertmhaas@gmail.com> wrote:
On Tue, Apr 24, 2012 at 2:55 AM, Jaime Casanova <jaime@2ndquadrant.com> wrote:
On Tue, Dec 13, 2011 at 11:27 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
I think it might be sane to emit a WARNING suggesting that CREATEUSER
might not mean what you think, but failing is probably not good.are we going to do this in this release?
i never was able to think in a good phrasing for this, thoughI actually think we should just leave this alone. �There is a
limitless number of things that someone could potentially be confused
by if they fail to read the documentation, and we can't warn about all
of them.maybe is not very helpful, but it can't hurt... hey! it can save you
because you maybe used CREATEUSER with the intention of CREATEROLE,
and ended up with a user with restricted privileges that is actually a
SUPERUSER... that's bad and is a POLA violation.is worse because we are the ones causing the confusion consider the syntax:
CREATE USER = CREATE ROLE
IN GROUP = IN ROLE
USER = ROLECREATEUSER != CREATEROLE
CREATEUSER = SUPERUSER
I looked at this and can't see a way to make CREATEUSER != CREATEROLE
clearer:
The only difference is that when the command is spelled CREATE USER,
LOGIN is assumed by default, whereas NOLOGIN is assumed when the
command is spelled CREATE ROLE.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +