Robert, all, [... comments elsewhere made me realize I hadn't actually sent this when I thought I had, my apologies on that ...]
* Robert Haas (robertmh...@gmail.com) wrote: > Great. But there's no particular use case served by a lot of things > which are natural outgrowths of the rest of the system which we permit > anyway because it's too awkward otherwise - like zero-column tables. Based on our discussion at PGConf.US and the comments up-thread from Tom, I'll work up a patch to remove those checks around SET ROLE and friends which were trying to prevent default roles from possibly being made to own objects. Should the checks, which have been included since nearly the start of this version of the patch, to prevent users from GRANT'ing other rights to the default roles remain? Or should those also be removed? I *think* pg_dump/pg_upgrade would be fine with rights being added, and if we aren't preventing ownership of objects then we aren't going to be able to remove such roles in any case. Of course, with these default roles, users can't REVOKE the rights which are granted to them as that happens in C code, outside of the GRANT system. Working up a patch to remove these checks should be pretty quickly done (iirc, I've actually got an independent patch around from when I added them, just need to find it and then go through the committed patches to make sure I take care of everything), but would like to make sure that we're now all on the same page and that *all* of these checks should be removed, making default roles just exactly like "regular" roles, except that they're created at initdb time and have "special" rights provided by C-level code checks. Thanks! Stephen
signature.asc
Description: Digital signature