From: | Andres Freund <andres(at)2ndquadrant(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Petr Jelinek <petr(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Additional role attributes && superuser review |
Date: | 2015-01-26 18:59:01 |
Message-ID: | 20150126185901.GB5568@awork2.anarazel.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 2015-01-26 13:47:02 -0500, Stephen Frost wrote:
> * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> > On Wed, Jan 21, 2015 at 11:27 AM, Adam Brightwell
> > <adam(dot)brightwell(at)crunchydatasolutions(dot)com> wrote:
> > > After re-reading through this thread is seems like EXCLUSIVEBACKUP (proposed
> > > by Magnus) seemed to be a potentially acceptable alternative.
> >
> > So this would let you do pg_start_backup() and pg_stop_backup(), but
> > it wouldn't let you run pg_basebackup against the server?
>
> Right. We already have a role attribute which allows pg_basebackup
> (replication). Also, with pg_basebackup / rolreplication, your role
> is able to read the entire data directory from the server, that's not
> the case with only rights to run pg_start/stop_backup.
>
> In conjunction with enterprise backup solutions and SANs, which offer
> similar controls where a generally unprivileged user can have a snapshot
> of the system taken through the SAN interface, you can give users the
> ability to run ad-hoc backups of the cluster without giving them
> superuser-level access or replication-level access.
I'm sorry if this has already been discussed, but the thread is awfully
long already. But what's actually the point of having a separate
EXCLUSIVEBACKUP permission? Using it still requires full file system
access to the data directory, so the additional permissions granted by
replication aren't really relevant.
I don't think the comparison with the SAN snapshot functionality is apt:
The SAN solution itself will still run with full data access. Just
pressing the button for the snapshot requires less. You're comparing
that button to pg_start/stop_backup() - but that doesn't make sense,
because it's only useful if somebody actually takes the backup during
that time.
Greetings,
Andres Freund
--
Andres Freund http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2015-01-26 19:01:25 | Re: longjmp clobber warnings are utterly broken in modern gcc |
Previous Message | Stephen Frost | 2015-01-26 18:47:02 | Re: Additional role attributes && superuser review |