Thread: Restricting the CREATEROLE privilege

Restricting the CREATEROLE privilege

From

"Wappler, Robert"

Date:

25 February 2010, 04:26:24

Good Morning,
is there a way to limit the CREATEROLE privilege to a specific database?
I currently set up an automated integration test environment. This includes a
database owned by a specific user which should have all degrees of freedom
for installing whatever database schemas are in the current revision as well as
creating roles used by the test cases to access the database.

I do not want that user to create roles, which are then available in every
database.

--

    Robert...

Re: Restricting the CREATEROLE privilege

From

Alex Hunsaker

Date:

25 February 2010, 10:49:47

On Thu, Feb 25, 2010 at 01:26, Wappler, Robert <rwappler@ophardt.com> wrote:
> Good Morning,
> is there a way to limit the CREATEROLE privilege to a specific database?
> I currently set up an automated integration test environment. This includes a
> database owned by a specific user which should have all degrees of freedom
> for installing whatever database schemas are in the current revision as well as
> creating roles used by the test cases to access the database.

You could create a base role that does not have connect privileges on
the other databases.  Then just inherit from that role.  Something
like:
CREATE ROLE base_user;
REVOKE CONNECT ON database from base_user;
...

CREATE ROLE my_user inherit base_user;

You could also go the other route and default deny connect databases
and explicitly allow connect.

Re: Restricting the CREATEROLE privilege

From

"Wappler, Robert"

Date:

25 February 2010, 11:25:38

On 2010-02-25, Alex Hunsaker wrote:

> You could create a base role that does not have connect privileges on
> the other databases.  Then just inherit from that role.  Something
like:
> CREATE ROLE base_user; REVOKE CONNECT ON database from base_user; ...
>
> CREATE ROLE my_user inherit base_user;
>

Unfortunately, base_user inherits the connect privileges from role
PUBLIC, regardless, whether it was created with NOINHERIT.

> You could also go the other route and default deny connect databases
> and explicitly allow connect.
>

That other way round seems to be the only solution for now, first revoke
the CONNECT privileges from PUBLIC and then grant them to individual
roles.

How about changing the CREATEROLE privilege to be associated with a
specific database instead of affecting all databases?

--
Robert...

Re: Restricting the CREATEROLE privilege

From

Alex Hunsaker

Date:

25 February 2010, 12:17:04

On Thu, Feb 25, 2010 at 08:22, Wappler, Robert <rwappler@ophardt.com> wrote:
> Unfortunately, base_user inherits the connect privileges from role
> PUBLIC, regardless, whether it was created with NOINHERIT.

Yeah, IMO the documentation does not really spell out that limitation.

> How about changing the CREATEROLE privilege to be associated with a
> specific database instead of affecting all databases?

Well just on the grounds that it would break every current user of
CREATE ROLE... that's probably not going to happen.  I could imagine
there could be some syntax sugar for this.  But I don't think it would
be any nicer as you would probably need to REVOKE PUBLIC and inherit
anyway.  Not to mention I'm not sure what the semantics would be or
where it gets its 'default' permissions.  A ruff idea would be for
each database (except the connected one) REVOKE ALL on database.  Of
course feel free to flesh it out and submit a patch :).  In any event
its certainly too late for 9.0 and would not be back patched anyway...