Re: [GENERAL] Additional Grants To SuperUser?
2011/2/7 Carlos Mennens carlos.menn...@gmail.com On Fri, Feb 4, 2011 at 5:08 PM, Dmitriy Igrishin dmit...@gmail.com wrote: These all (SUPERUSER, CREATEDB, SUPERUSER) are role attributes. By performing ALTER ROLE postgres NOSUPERUSER it is possible to turn role with a superuser status into a role that just can create databases and manage roles (admin, but without superuser privileges). So is it very bad to alter ANY of the default role attributes granted to the 'postgres' user? I don't know if removing role attributes from him will have negative consequences to features / functional tasks of the PostgreSQL server / client application(s). Nothing special in 'postgres' user from the POV of DBMS. It is just a user with superuser attribute created when you perform initdb(1). But please note, some OS distributives uses 'postgres' for non-interactive access to all databases for automatic maintenance (custom daily cronjobs, replication, and similar tasks) -- please see you pg_hba.conf file where entry for 'postgres' user usually resides. -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general -- // Dmitriy.
Re: [GENERAL] Additional Grants To SuperUser?
On Fri, Feb 4, 2011 at 5:08 PM, Dmitriy Igrishin dmit...@gmail.com wrote: These all (SUPERUSER, CREATEDB, SUPERUSER) are role attributes. By performing ALTER ROLE postgres NOSUPERUSER it is possible to turn role with a superuser status into a role that just can create databases and manage roles (admin, but without superuser privileges). So is it very bad to alter ANY of the default role attributes granted to the 'postgres' user? I don't know if removing role attributes from him will have negative consequences to features / functional tasks of the PostgreSQL server / client application(s). -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] Additional Grants To SuperUser?
Not to be smart about it but you could just logon as carlos (or a different superuser you create for this purpose) and issue Create Database xxx and Create Role xxx statements and see whether they work. A superuser should (imo) be able to do everything (including dropping) without any additional permissions required so unless you see that carlos cannot I would say you are good. David J -Original Message- From: pgsql-general-ow...@postgresql.org [mailto:pgsql-general-ow...@postgresql.org] On Behalf Of Carlos Mennens Sent: Friday, February 04, 2011 1:28 PM To: pgsql-general@postgresql.org Subject: [GENERAL] Additional Grants To SuperUser? I created a role named 'carlos' which is my current user account with 'superuser' grants but my question is when I look at 'postgres' account, he has additional grants that I don't understand. List of roles Role name | Attributes | Member of ---+-+--- carlos | Superuser | {} jmadeline | Create DB | {} mwilshaw | Create DB | {} postgres| Superuser | {} : Create role : Create DB So from what I see above, 'carlos' is a superuser but do I need to grant him 'CREATEROLE' 'CREATEDB' rights along with 'SUPERUSER' or is 'SUPERUSER' by itself good enough? -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] Additional Grants To SuperUser?
On Fri, Feb 4, 2011 at 2:18 PM, David Johnston pol...@yahoo.com wrote: Not to be smart about it but you could just logon as carlos (or a different superuser you create for this purpose) and issue Create Database xxx and Create Role xxx statements and see whether they work. A superuser should (imo) be able to do everything (including dropping) without any additional permissions required so unless you see that carlos cannot I would say you are good. Yes but I'm trying to understand the difference because the default 'postgres' user that is auto-configured to have 'SUPERUSER', 'CREATEDB', 'CREATEROLE' grants. I'm trying to understand if those are redundant grants or if there is a reason PostgreSQL developers grant the 'postgres' user with SUPERUSER, CREATEDB, CREATEROLE. Seems to me logically that if a someone is a superuser, then they should be able to CREATEDB CREATEROLE, no? So why would the 'postgres' user need those additional attributes? postgres=# \du List of roles Role name | Attributes | Member of +-+--- cmennens | Superuser | {} postgres | Superuser | {} : Create role : Create DB -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] Additional Grants To SuperUser?
2011/2/4 Carlos Mennens carlos.menn...@gmail.com On Fri, Feb 4, 2011 at 2:18 PM, David Johnston pol...@yahoo.com wrote: Not to be smart about it but you could just logon as carlos (or a different superuser you create for this purpose) and issue Create Database xxx and Create Role xxx statements and see whether they work. A superuser should (imo) be able to do everything (including dropping) without any additional permissions required so unless you see that carlos cannot I would say you are good. Yes but I'm trying to understand the difference because the default 'postgres' user that is auto-configured to have 'SUPERUSER', 'CREATEDB', 'CREATEROLE' grants. I'm trying to understand if those are redundant grants or if there is a reason PostgreSQL developers grant the 'postgres' user with SUPERUSER, CREATEDB, CREATEROLE. Seems to me logically that if a someone is a superuser, then they should be able to CREATEDB CREATEROLE, no? So why would the 'postgres' user need those additional attributes? These all (SUPERUSER, CREATEDB, SUPERUSER) are role attributes. By performing ALTER ROLE postgres NOSUPERUSER it is possible to turn role with a superuser status into a role that just can create databases and manage roles (admin, but without superuser privileges). postgres=# \du List of roles Role name | Attributes | Member of +-+--- cmennens | Superuser | {} postgres | Superuser | {} : Create role : Create DB -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general -- // Dmitriy.