| From: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, David Steele <david(at)pgmasters(dot)net>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Gavin Flower <GavinFlower(at)archidevsys(dot)co(dot)nz>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Petr Jelinek <petr(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Additional role attributes && superuser review |
| Date: | 2015-11-30 19:44:30 |
| Message-ID: | 20151130194430.GB2763@alvherre.pgsql |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Stephen Frost wrote:
> * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> > > I can think of a use-case for a user who can call pg_switch_xlog, but
> > > not pg_start_backup()/pg_stop_backup(), but I have to admit that it
> > > seems rather limited and I'm on the fence about it being a worthwhile
> > > distinction.
> >
> > Sounds too narrow to me. Are we going to have a separate predefined
> > role for every security-restricted function to which someone might
> > want to grant access? That seems over the top to me.
>
> I certainly don't want to go down to that level and was, as seen above,
> unsure about having pg_switch_xlog() as a differentiated privilege.
> Michael, do you still see that as a useful independent capability?
Hmm, Robert's argument seems reasonable -- we can continue to offer
access to individual elements by granting execute on a security-definer
function owned by predefined user pg_backup.
--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2015-11-30 20:03:44 | Re: Remaining 9.5 open items |
| Previous Message | Tom Lane | 2015-11-30 19:43:59 | Remaining 9.5 open items |