Skip to content

pg 16: granting BYPASSRLS doesn't require SUPERUSER anymore #78

New issue
New issue
Open
Open
pg 16: granting BYPASSRLS doesn't require SUPERUSER anymore#78
Labels
enhancementNew feature or request
@steve-chavez

Description

@steve-chavez
steve-chavez
opened on Feb 1, 2024

Problem

On pg 15 and lower https://www.postgresql.org/docs/15/sql-createrole.html

You must be a superuser to create a new role having the BYPASSRLS attribute.

For pg 16 and up https://www.postgresql.org/docs/16/sql-createrole.html

Only superuser roles or roles with BYPASSRLS can specify BYPASSRLS.

Currently supautils has custom code for granting BYPASSRLS via privileged_role, which internally we turn into superuser.. but this is no longer necessary.

Solution

Disable the BYPASSRLS feature with privileged_role for pg >= 16. Doing ALTER ROLE privileged_role BYPASSRLS is enough for allowing granting BYPASSRLS to other roles.

cc @soedirgo

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions