Re: Additional Grants To SuperUser?

2011/2/4 Carlos Mennens <carlos(dot)mennens(at)gmail(dot)com>

> On Fri, Feb 4, 2011 at 2:18 PM, David Johnston <polobo(at)yahoo(dot)com> wrote:
> > Not to be smart about it but you could just logon as carlos (or a
> different
> > superuser you create for this purpose) and issue "Create Database xxx"
> and
> > "Create Role xxx" statements and see whether they work. A superuser
> should
> > (imo) be able to do everything (including dropping) without any
> additional
> > permissions required so unless you see that carlos cannot I would say you
> > are good.
>
> Yes but I'm trying to understand the difference because the default
> 'postgres' user that is auto-configured to have 'SUPERUSER',
> 'CREATEDB', & 'CREATEROLE' grants. I'm trying to understand if those
> are redundant grants or if there is a reason PostgreSQL developers
> grant the 'postgres' user with SUPERUSER, CREATEDB, & CREATEROLE.
> Seems to me logically that if a someone is a superuser, then they
> should be able to CREATEDB & CREATEROLE, no? So why would the
> 'postgres' user need those additional attributes?
>
These all (SUPERUSER, CREATEDB, SUPERUSER) are role attributes.
By performing ALTER ROLE postgres NOSUPERUSER it is possible to
turn role with a superuser status into a role that just can create databases
and manage roles (admin, but without superuser privileges).

>
>
> postgres=# \du
> List of roles
> Role name | Attributes | Member of
> ------------+-------------+-----------
> cmennens | Superuser | {}
> postgres | Superuser | {}
> : Create role
> : Create DB
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>

--
// Dmitriy.