Re: new createuser option for replication role

Hi,

Currently createuser cannot create a role with REPLICATION privilege
because it doesn't have any option to do that. Which sometimes annoys
me when setting up replication. I'd like to propose to add new options
"-x (--replication)" and "-X (--no-replication)" into createuser. "-x" allows
the new user to do replication, and "-X" disallows. The default is "-X".
Is it worth creating the patch?

Though I'd like to use "-r" and "-R" as the option name, they have already
been used for CREATEROLE privilege. So I'm thinking to use "-x" and
"-X" derived from XLOG. But does anyone have better option name?

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

On Sat, Sep 10, 2011 at 2:08 PM, Fujii Masao <masao(dot)fujii(at)gmail(dot)com> wrote:
> Currently createuser cannot create a role with REPLICATION privilege
> because it doesn't have any option to do that. Which sometimes annoys
> me when setting up replication. I'd like to propose to add new options
> "-x (--replication)" and "-X (--no-replication)" into createuser. "-x" allows
> the new user to do replication, and "-X" disallows. The default is "-X".
> Is it worth creating the patch?

Patch attached.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Fujii Masao <masao(dot)fujii(at)gmail(dot)com> writes:
> Currently createuser cannot create a role with REPLICATION privilege
> because it doesn't have any option to do that. Which sometimes annoys
> me when setting up replication. I'd like to propose to add new options
> "-x (--replication)" and "-X (--no-replication)" into createuser. "-x" allows
> the new user to do replication, and "-X" disallows. The default is "-X".
> Is it worth creating the patch?

> Though I'd like to use "-r" and "-R" as the option name, they have already
> been used for CREATEROLE privilege. So I'm thinking to use "-x" and
> "-X" derived from XLOG. But does anyone have better option name?

Better solution: don't have a short form of the switch.

regards, tom lane

On Sat, Sep 10, 2011 at 11:50 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Fujii Masao <masao(dot)fujii(at)gmail(dot)com> writes:
>> Currently createuser cannot create a role with REPLICATION privilege
>> because it doesn't have any option to do that. Which sometimes annoys
>> me when setting up replication. I'd like to propose to add new options
>> "-x (--replication)" and "-X (--no-replication)" into createuser. "-x" allows
>> the new user to do replication, and "-X" disallows. The default is "-X".
>> Is it worth creating the patch?
>
>> Though I'd like to use "-r" and "-R" as the option name, they have already
>> been used for CREATEROLE privilege. So I'm thinking to use "-x" and
>> "-X" derived from XLOG. But does anyone have better option name?
>
> Better solution: don't have a short form of the switch.

That sounds better. I revised the patch so that it adds only "--replication"
option to createuser.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

Hello

Before doing the complete review, I hit a regression with 9.1 createrole.

the command ''createuser -e -s foo" produce :
CREATE ROLE foo SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN NOREPLICATION;

before it was:
CREATE ROLE foo SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;

The REPLICATION was allowed by default to superuser, and the current
patch change the default to remove the right.

I believe we should add only the REPLICATION when --replication is
set, and NOREPLICATION when --no-replication is set.

2011/9/11 Fujii Masao <masao(dot)fujii(at)gmail(dot)com>:
> On Sat, Sep 10, 2011 at 11:50 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Fujii Masao <masao(dot)fujii(at)gmail(dot)com> writes:
>>> Currently createuser cannot create a role with REPLICATION privilege
>>> because it doesn't have any option to do that. Which sometimes annoys
>>> me when setting up replication. I'd like to propose to add new options
>>> "-x (--replication)" and "-X (--no-replication)" into createuser. "-x" allows
>>> the new user to do replication, and "-X" disallows. The default is "-X".
>>> Is it worth creating the patch?
>>
>>> Though I'd like to use "-r" and "-R" as the option name, they have already
>>> been used for CREATEROLE privilege. So I'm thinking to use "-x" and
>>> "-X" derived from XLOG. But does anyone have better option name?
>>
>> Better solution: don't have a short form of the switch.
>
> That sounds better. I revised the patch so that it adds only "--replication"
> option to createuser.
>
> Regards,
>
> --
> Fujii Masao
> NIPPON TELEGRAPH AND TELEPHONE CORPORATION
> NTT Open Source Software Center
>
>
> --
> Sent via pgsql-hackers mailing list (pgsql-hackers(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers
>
>

--
Cédric Villemain +33 (0)6 20 30 22 52
http://2ndQuadrant.fr/
PostgreSQL: Support 24x7 - Développement, Expertise et Formation

On Thu, Sep 22, 2011 at 10:55 PM, Cédric Villemain
<cedric(dot)villemain(dot)debian(at)gmail(dot)com> wrote:
> Before doing the complete review, I hit a regression with 9.1 createrole.

Thanks!

> the command ''createuser -e -s foo" produce :
>  CREATE ROLE foo SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN NOREPLICATION;
>
> before it was:
>  CREATE ROLE foo SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;
>
> The REPLICATION was allowed by default to superuser, and the current
> patch change the default to remove the right.
>
> I believe we should add only the REPLICATION when --replication is
> set, and NOREPLICATION when --no-replication is set.

Agreed. Attached is the updated version of the patch. It adds two options
--replication and --no-replication. If neither specified, neither REPLICATION
nor NOREPLICATION is specified in CREATE ROLE, i.e., in this case,
replication privilege is granted to only superuser.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center

On Thu, Sep 22, 2011 at 12:45 PM, Fujii Masao <masao(dot)fujii(at)gmail(dot)com> wrote:
> Agreed. Attached is the updated version of the patch. It adds two options
> --replication and --no-replication. If neither specified, neither REPLICATION
> nor NOREPLICATION is specified in CREATE ROLE, i.e., in this case,
> replication privilege is granted to only superuser.

Committed. Do we need to make any changes in interactive mode, when
we prompt? In theory this could be either wanted or not wanted for
either superusers or non-superusers, but I'm not really sure it's
worth it, and I certainly don't want the command to go into
interactive mode just because neither --replication nor
--no-replication was specified.

Thoughts?

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

2011/9/23 Robert Haas <robertmhaas(at)gmail(dot)com>:
> On Thu, Sep 22, 2011 at 12:45 PM, Fujii Masao <masao(dot)fujii(at)gmail(dot)com> wrote:
>> Agreed. Attached is the updated version of the patch. It adds two options
>> --replication and --no-replication. If neither specified, neither REPLICATION
>> nor NOREPLICATION is specified in CREATE ROLE, i.e., in this case,
>> replication privilege is granted to only superuser.
>
> Committed.  Do we need to make any changes in interactive mode, when
> we prompt?  In theory this could be either wanted or not wanted for
> either superusers or non-superusers, but I'm not really sure it's
> worth it, and I certainly don't want the command to go into
> interactive mode just because neither --replication nor
> --no-replication was specified.
>
> Thoughts?

I believe the intereactive mode is useless.

There is still an issue with the patch for the documentation: a
superuser, even with NOREPLICATION is allowed to perform
pg_start_backup() and pg_stop_backup().

>
> --
> Robert Haas
> EnterpriseDB: http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>

--
Cédric Villemain +33 (0)6 20 30 22 52
http://2ndQuadrant.fr/
PostgreSQL: Support 24x7 - Développement, Expertise et Formation

2011/9/23 Cédric Villemain <cedric(dot)villemain(dot)debian(at)gmail(dot)com>:
> 2011/9/23 Robert Haas <robertmhaas(at)gmail(dot)com>:
>> On Thu, Sep 22, 2011 at 12:45 PM, Fujii Masao <masao(dot)fujii(at)gmail(dot)com> wrote:
>>> Agreed. Attached is the updated version of the patch. It adds two options
>>> --replication and --no-replication. If neither specified, neither REPLICATION
>>> nor NOREPLICATION is specified in CREATE ROLE, i.e., in this case,
>>> replication privilege is granted to only superuser.
>>
>> Committed.  Do we need to make any changes in interactive mode, when
>> we prompt?  In theory this could be either wanted or not wanted for
>> either superusers or non-superusers, but I'm not really sure it's
>> worth it, and I certainly don't want the command to go into
>> interactive mode just because neither --replication nor
>> --no-replication was specified.
>>
>> Thoughts?
>
> I believe the intereactive mode is useless.
>
> There is still an issue with the patch for the documentation: a
> superuser, even with NOREPLICATION is allowed to perform
> pg_start_backup() and pg_stop_backup().

noise, sorry
I've just read the commited patch which fixed that.

>
>
>>
>> --
>> Robert Haas
>> EnterpriseDB: http://www.enterprisedb.com
>> The Enterprise PostgreSQL Company
>>
>
>
>
> --
> Cédric Villemain +33 (0)6 20 30 22 52
> http://2ndQuadrant.fr/
> PostgreSQL: Support 24x7 - Développement, Expertise et Formation
>

--
Cédric Villemain +33 (0)6 20 30 22 52
http://2ndQuadrant.fr/
PostgreSQL: Support 24x7 - Développement, Expertise et Formation

On Fri, Sep 23, 2011 at 10:47 PM, Cédric Villemain
<cedric(dot)villemain(dot)debian(at)gmail(dot)com> wrote:
> 2011/9/23 Robert Haas <robertmhaas(at)gmail(dot)com>:
>> On Thu, Sep 22, 2011 at 12:45 PM, Fujii Masao <masao(dot)fujii(at)gmail(dot)com> wrote:
>>> Agreed. Attached is the updated version of the patch. It adds two options
>>> --replication and --no-replication. If neither specified, neither REPLICATION
>>> nor NOREPLICATION is specified in CREATE ROLE, i.e., in this case,
>>> replication privilege is granted to only superuser.
>>
>> Committed.  Do we need to make any changes in interactive mode, when
>> we prompt?  In theory this could be either wanted or not wanted for
>> either superusers or non-superusers, but I'm not really sure it's
>> worth it, and I certainly don't want the command to go into
>> interactive mode just because neither --replication nor
>> --no-replication was specified.
>>
>> Thoughts?
>
> I believe the intereactive mode is useless.

Agreed. I think that a majority of "createuser" users are not interested
in REPLICATION privilege yet.

Regards,

--
Fujii Masao
NIPPON TELEGRAPH AND TELEPHONE CORPORATION
NTT Open Source Software Center