Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pg 16: granting BYPASSRLS doesn't require SUPERUSER anymore #78

Open
steve-chavez opened this issue Feb 1, 2024 · 1 comment
Open

pg 16: granting BYPASSRLS doesn't require SUPERUSER anymore #78

steve-chavez opened this issue Feb 1, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@steve-chavez
Copy link
Member

Problem

On pg 15 and lower https://www.postgresql.org/docs/15/sql-createrole.html

You must be a superuser to create a new role having the BYPASSRLS attribute.

For pg 16 and up https://www.postgresql.org/docs/16/sql-createrole.html

Only superuser roles or roles with BYPASSRLS can specify BYPASSRLS.

Currently supautils has custom code for granting BYPASSRLS via privileged_role, which internally we turn into superuser.. but this is no longer necessary.

Solution

Disable the BYPASSRLS feature with privileged_role for pg >= 16. Doing ALTER ROLE privileged_role BYPASSRLS is enough for allowing granting BYPASSRLS to other roles.

cc @soedirgo
@steve-chavez steve-chavez added the enhancement New feature or request label Feb 1, 2024
@steve-chavez steve-chavez mentioned this issue Feb 2, 2024
Open
@steve-chavez steve-chavez changed the title PostgreSQL 16: granting BYPASSRLS doesn't require SUPERUSER PostgreSQL 16: granting BYPASSRLS doesn't require SUPERUSER anymore Feb 8, 2024
@steve-chavez steve-chavez changed the title PostgreSQL 16: granting BYPASSRLS doesn't require SUPERUSER anymore pg 16: granting BYPASSRLS doesn't require SUPERUSER anymore Feb 8, 2024
@AntonOfTheWoods
Copy link

bfed3e8 would suggest to the untrained eye that pg17 is supported, meaning pg16 probably is too, no?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@steve-chavez @AntonOfTheWoods