The following review has been posted through the commitfest application:
make installcheck-world: tested, passed
Implements feature: tested, passed
Spec compliant: tested, passed
Documentation:not tested
Wouldn't using opt_or_replace rule be a better option?
The new s
On Mon, Nov 22, 2021 at 6:49 AM Daniel Gustafsson wrote:
> > On 10 Nov 2021, at 18:14, David Christensen <
> david.christen...@crunchydata.com> wrote:
>
> > Modulo other issues/discussions, here is a version of this patch..
>
> This patch fails to compile since you renamed the if_not_exists membe
> On 10 Nov 2021, at 18:14, David Christensen
> wrote:
> Modulo other issues/discussions, here is a version of this patch..
This patch fails to compile since you renamed the if_not_exists member in
CreateRoleStmt but still set it in the parser.
--
Daniel Gustafsson https://vmware
Modulo other issues/discussions, here is a version of this patch that
implements CREATE OR REPLACE ROLE just by handing off to AlterRole if it's
determined that the role already exists; presumably any/all additional
considerations would need to be added in both places were there a separate
code pat
> On Nov 9, 2021, at 8:50 AM, Stephen Frost wrote:
>
>> If we fix the existing bug that the pg_auth_members.grantor field can end up
>> as a dangling reference, instead making sure that it is always accurate,
>> then perhaps this would be ok if all roles granted into "charlie" had
>> granto
Greetings,
* Mark Dilger (mark.dil...@enterprisedb.com) wrote:
> > On Nov 9, 2021, at 8:22 AM, Stephen Frost wrote:
> > In terms of least-surprise, I do tend to think that the answer is "only
> > care about what is explicitly put into the command"- that is, if it
> > isn't in the CREATE ROLE stat
> On Nov 9, 2021, at 8:22 AM, Stephen Frost wrote:
>
> In terms of least-surprise, I do tend to think that the answer is "only
> care about what is explicitly put into the command"- that is, if it
> isn't in the CREATE ROLE statement then it gets left as-is. Not sure
> how others feel about t
On Tue, Nov 9, 2021 at 10:22 AM Stephen Frost wrote:
> Greetings,
>
> * David Christensen (david.christen...@crunchydata.com) wrote:
> > Well, the CREATE OR REPLACE via just setting the role's attributes
> > explicitly based on what you passed it could work (not strictly DROP +
> > CREATE, in tha
Greetings,
* David Christensen (david.christen...@crunchydata.com) wrote:
> On Tue, Nov 9, 2021 at 9:55 AM Mark Dilger
> wrote:
> > > On Nov 9, 2021, at 7:36 AM, David Christensen <
> > david.christen...@crunchydata.com> wrote:
> > > If CINE semantics are at issue, what about the CREATE OR REPLA
On Tue, Nov 9, 2021 at 9:55 AM Mark Dilger
wrote:
> > On Nov 9, 2021, at 7:36 AM, David Christensen <
> david.christen...@crunchydata.com> wrote:
> >
> > If CINE semantics are at issue, what about the CREATE OR REPLACE
> semantics with some sort of merge into the existing role? I don't care
> st
Greetings,
* Mark Dilger (mark.dil...@enterprisedb.com) wrote:
> > On Nov 9, 2021, at 7:36 AM, David Christensen
> > wrote:
> > If CINE semantics are at issue, what about the CREATE OR REPLACE semantics
> > with some sort of merge into the existing role? I don't care strongly
> > about which
user
> cannot be dropped`. Not that I am promoting the use of `pg_dumpall
> --clean`, as there are clearly better solutions here, but something which
> generates unusable output does not seem that useful. Instead, you could
> generate `CREATE ROLE IF NOT EXISTS username` statements and emit
> On Nov 9, 2021, at 7:36 AM, David Christensen
> wrote:
>
> If CINE semantics are at issue, what about the CREATE OR REPLACE semantics
> with some sort of merge into the existing role? I don't care strongly about
> which approach is taken, just think the overall "make this role exist in t
rily cannot work, as it fails with the error `current user
cannot be dropped`. Not that I am promoting the use of `pg_dumpall
--clean`, as there are clearly better solutions here, but something which
generates unusable output does not seem that useful. Instead, you could
generate `CREATE ROLE
> On Nov 8, 2021, at 10:38 AM, Stephen Frost wrote:
>
> I don't quite follow this. The entire point of Alice writing a script
> that uses IF NOT EXISTS is to have that command not fail if, indeed,
> that role already exists, but for the rest of the script to be run.
> That there's some potent
Stephen Frost writes:
> I don't quite follow this. The entire point of Alice writing a script
> that uses IF NOT EXISTS is to have that command not fail if, indeed,
> that role already exists, but for the rest of the script to be run.
> That there's some potential attacker with CREATEROLE running
as a role. It's not hard at all to conjure up
> > scenarios in which this permits privilege escalation. That is,
> > Alice wants to create role Bob and give it some privileges, but
> > she's lazy and writes a quick-and-dirty script using CREATE ROLE
> > IF NOT EXIS
ch this permits privilege escalation. That is,
> Alice wants to create role Bob and give it some privileges, but
> she's lazy and writes a quick-and-dirty script using CREATE ROLE
> IF NOT EXISTS. Meanwhile Charlie sneaks in and creates Bob first,
> and then grants it to himself. Now
its privilege escalation. That is,
Alice wants to create role Bob and give it some privileges, but
she's lazy and writes a quick-and-dirty script using CREATE ROLE
IF NOT EXISTS. Meanwhile Charlie sneaks in and creates Bob first,
and then grants it to himself. Now Alice's script is g
>
>
> This fails the roleattributes test in "make check", with what seems to be a
> trivial change in the output. Can you please submit a rebased version
> fixing
> the test?
>
Updated version attached.
David
CREATE-ROLE-IF-NOT-EXISTS-v2.patch
Description: Binary data
> On 19 Oct 2021, at 22:12, David Christensen
> wrote:
>
> Greetings -hackers,
>
> Enclosed is a patch that implements CREATE ROLE IF NOT EXISTS (along with the
> same support for USER/GROUP). This is a fairly straightforward approach in
> that we do no validatio
On Tue, Oct 19, 2021 at 4:29 PM Isaac Morland
wrote:
> On Tue, 19 Oct 2021 at 16:12, David Christensen <
> david.christen...@crunchydata.com> wrote:
>
>> Greetings -hackers,
>>
>> Enclosed is a patch that implements CREATE ROLE IF NOT EXISTS (along with
>>
On Tue, 19 Oct 2021 at 16:12, David Christensen <
david.christen...@crunchydata.com> wrote:
> Greetings -hackers,
>
> Enclosed is a patch that implements CREATE ROLE IF NOT EXISTS (along with
> the same support for USER/GROUP). This is a fairly straightforward
> appr
Greetings -hackers,
Enclosed is a patch that implements CREATE ROLE IF NOT EXISTS (along with
the same support for USER/GROUP). This is a fairly straightforward
approach in that we do no validation of anything other than existence, with
the user needing to ensure that permissions/grants are set
24 matches
Mail list logo
